Configuring the SR-IOV Network Operator

    The SR-IOV Network Operator adds the CustomResourceDefinition resource. The Operator automatically creates a SriovOperatorConfig custom resource (CR) named default in the openshift-sriov-network-operator namespace.

    The default CR contains the SR-IOV Network Operator configuration for your cluster. To change the Operator configuration, you must modify this CR.

    The fields for the sriovoperatorconfig custom resource are described in the following table:

    Table 1. SR-IOV Network Operator config custom resource
    FieldTypeDescription

    metadata.name

    string

    Specifies the name of the SR-IOV Network Operator instance. The default value is default. Do not set a different value.

    metadata.namespace

    string

    Specifies the namespace of the SR-IOV Network Operator instance. The default value is openshift-sriov-network-operator. Do not set a different value.

    spec.configDaemonNodeSelector

    string

    Specifies the node selection to control scheduling the SR-IOV Network Config Daemon on selected nodes. By default, this field is not set and the Operator deploys the SR-IOV Network Config daemon set on worker nodes.

    spec.disableDrain

    boolean

    Specifies whether to disable the node draining process or enable the node draining process when you apply a new policy to configure the NIC on a node. Setting this field to true facilitates software development and installing OKD on a single node. By default, this field is not set.

    For single-node clusters, set this field to true after installing the Operator. This field must remain set to true.

    spec.enableInjector

    boolean

    Specifies whether to enable or disable the Network Resources Injector daemon set. By default, this field is set to true.

    spec.enableOperatorWebhook

    boolean

    Specifies whether to enable or disable the Operator Admission Controller webhook daemon set. By default, this field is set to true.

    spec.logLevel

    integer

    Specifies the log verbosity level of the Operator. Set to 0 to show only the basic logs. Set to 2 to show all the available logs. By default, this field is set to 2.

    About the Network Resources Injector

    The Network Resources Injector is a Kubernetes Dynamic Admission Controller application. It provides the following capabilities:

    • Mutation of a pod specification with a Downward API volume to expose pod annotations, labels, and huge pages requests and limits. Containers that run in the pod can access the exposed information as files under the /etc/podnetinfo path.

    By default, the Network Resources Injector is enabled by the SR-IOV Network Operator and runs as a daemon set on all control plane nodes. The following is an example of Network Resources Injector pods running in a cluster with three control plane nodes:

    Example output

    1. NAME READY STATUS RESTARTS AGE
    2. network-resources-injector-5cz5p 1/1 Running 0 10m
    3. network-resources-injector-dwqpx 1/1 Running 0 10m
    4. network-resources-injector-lktz5 1/1 Running 0 10m

    About the SR-IOV Network Operator admission controller webhook

    The SR-IOV Network Operator Admission Controller webhook is a Kubernetes Dynamic Admission Controller application. It provides the following capabilities:

    • Validation of the SriovNetworkNodePolicy CR when it is created or updated.

    • Mutation of the SriovNetworkNodePolicy CR by setting the default value for the priority and deviceType fields when the CR is created or updated.

    By default the SR-IOV Network Operator Admission Controller webhook is enabled by the Operator and runs as a daemon set on all control plane nodes.

    The following is an example of the Operator Admission Controller webhook pods running in a cluster with three control plane nodes:

    1. $ oc get pods -n openshift-sriov-network-operator

    Example output

    1. NAME READY STATUS RESTARTS AGE
    2. operator-webhook-9jkw6 1/1 Running 0 16m
    3. operator-webhook-kbr5p 1/1 Running 0 16m

    The SR-IOV Network Config daemon discovers and configures the SR-IOV network devices on cluster nodes. By default, it is deployed to all the worker nodes in the cluster. You can use node labels to specify on which nodes the SR-IOV Network Config daemon runs.

    Disabling or enabling the Network Resources Injector

    To disable or enable the Network Resources Injector, which is enabled by default, complete the following procedure.

    Prerequisites

    • Install the OpenShift CLI (oc).

    • Log in as a user with cluster-admin privileges.

    • You must have installed the SR-IOV Network Operator.

    Procedure

    • Set the enableInjector field. Replace <value> with false to disable the feature or true to enable the feature.

      1. $ oc patch sriovoperatorconfig default \
      2. --type=merge -n openshift-sriov-network-operator \
      3. --patch '{ "spec": { "enableInjector": <value> } }'

      You can alternatively apply the following YAML to update the Operator:

    Disabling or enabling the SR-IOV Network Operator admission controller webhook

    To disable or enable the admission controller webhook, which is enabled by default, complete the following procedure.

    Prerequisites

    • Install the OpenShift CLI (oc).

    • Log in as a user with cluster-admin privileges.

    • You must have installed the SR-IOV Network Operator.

    Procedure

    The SR-IOV Network Config daemon discovers and configures the SR-IOV network devices on cluster nodes. By default, it is deployed to all the worker nodes in the cluster. You can use node labels to specify on which nodes the SR-IOV Network Config daemon runs.

    When you update the configDaemonNodeSelector field, the SR-IOV Network Config daemon is recreated on each selected node. While the daemon is recreated, cluster users are unable to apply any new SR-IOV Network node policy or create new SR-IOV pods.

    Procedure

    • To update the node selector for the operator, enter the following command:

      1. $ oc patch sriovoperatorconfig default --type=json \
      2. -n openshift-sriov-network-operator \
      3. --patch '[{
      4. "op": "replace",
      5. "path": "/spec/configDaemonNodeSelector",
      6. "value": {<node_label>}
      7. }]'

      Replace <node_label> with a label to apply as in the following example: "node-role.kubernetes.io/worker": "".

    Configuring the SR-IOV Network Operator for single node installations

    By default, the SR-IOV Network Operator drains workloads from a node before every policy change. The Operator performs this action to ensure that there no workloads using the virtual functions before the reconfiguration.

    For installations on a single node, there are no other nodes to receive the workloads. As a result, the Operator must be configured not to drain the workloads from the single node.

    After performing the following procedure to disable draining workloads, you must remove any workload that uses an SR-IOV network interface before you change any SR-IOV network node policy.

    Prerequisites

    • Install the OpenShift CLI (oc).

    • Log in as a user with cluster-admin privileges.

    • You must have installed the SR-IOV Network Operator.

    Procedure

    • To set the disableDrain field to true, enter the following command:

      You can alternatively apply the following YAML to update the Operator:

      1. apiVersion: sriovnetwork.openshift.io/v1
      2. kind: SriovOperatorConfig
      3. metadata:
      4. name: default
      5. spec:
      6. disableDrain: true

    Deploying the SR-IOV Operator for hosted control planes

    After you configure and deploy your hosting service cluster, you can create a subscription to the SR-IOV Operator on a hosted cluster. The SR-IOV pod runs on worker machines rather than the control plane.

    Prerequisites

    You have configured and deployed the hosted cluster.

    Procedure

    1. Create a namespace and an Operator group:

      1. apiVersion: v1
      2. kind: Namespace
      3. metadata:
      4. name: openshift-sriov-network-operator
      5. ---
      6. apiVersion: operators.coreos.com/v1
      7. kind: OperatorGroup
      8. metadata:
      9. name: sriov-network-operators
      10. namespace: openshift-sriov-network-operator
      11. spec:
      12. targetNamespaces:
      13. - openshift-sriov-network-operator
    2. Create a subscription to the SR-IOV Operator:

      1. apiVersion: operators.coreos.com/v1alpha1
      2. kind: Subscription
      3. metadata:
      4. name: sriov-network-operator-subsription
      5. namespace: openshift-sriov-network-operator
      6. spec:
      7. channel: "4.13"
      8. name: sriov-network-operator
      9. config:
      10. nodeSelector:
      11. node-role.kubernetes.io/worker: ""
      12. source: s/qe-app-registry/redhat-operators
      13. sourceNamespace: openshift-marketplace

    Verification

    1. To verify that the SR-IOV Operator is ready, run the following command and view the resulting output:

      1. $ oc get csv -n openshift-sriov-network-operator

      Example output

    2. To verify that the SR-IOV pods are deployed, run the following command:

    Next steps