• Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-1247OpenShift Networking Universal Connectivity
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • Program Call
    • This is big and could use TE
    • Red Hat OpenShift Networking

      Feature Overview (aka. Goal Summary)  

      OVN Kubernetes Developer's Preview for BGP as a routing protocol for User Defined Network (Segmentation) pod and VM addressability via common data center networking removing the need to negotiate NAT at the cluster's edge.

      Goals (aka. expected user outcomes)

      OVN-Kubernetes currently has no native routing protocol integration, and relies on a Geneve overlay for east/west traffic, as well as third party operators to handle external network integration into the cluster. The purpose of this Developer's Preview enhancement is to introduce BGP as a supported routing protocol with OVN-Kubernetes. The extent of this support will allow OVN-Kubernetes to integrate into different BGP user environments, enabling it to dynamically expose cluster scoped network entities into a provider’s network, as well as program BGP learned routes from the provider’s network into OVN. In a follow-on release, this enhancement will provide support for EVPN, which is a common data center networking fabric that relies on BGP.

      Requirements (aka. Acceptance Criteria):

      • Provide a user-facing API to allow configuration of iBGP or eBGP peers, along with typical BGP configurations to include communities, route targets, vpnv4/v6, etc
      • Support for advertising Egress IP addresses
      • Enable BFD to BGP peers
      • Support EVPN configuration and integration with a user’s DC fabric, along with MAC-VRFs and IP-VRFs
      • ECMP routing support within OVN for BGP learned routes
         
        Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
        Deployment considerations List applicable specific needs (N/A = not applicable)
        Self-managed, managed, or both  
        Classic (standalone cluster)  
        Hosted control planes  
        Multi node, Compact (three node), or Single node (SNO), or all  
        Connected / Restricted Network  
        Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
        Operator compatibility  
        Backport needed (list applicable versions)  
        UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
        Other (please specify)  

      Design Document

      Use Cases (Optional):

      • Integration with 3rdparty load balancers that send packets directly to OpenShift nodes with the destination IP address of a targeted pod, without needing custom operators to detect which node a pod is scheduled to and then add routes into the load balancer to send the packet to the right node.

      Questions to Answer (Optional):

      Out of Scope

      • EVPN integration
      • Support of any other routing protocol
      • Running separate BGP instances per VRF network
      • Support for any other type of L3VPN with BGP, including MPLS
      • Providing any type of API or operator to automatically connect two Kubernetes clusters via L3VPN
      • Replacing the support that MetalLB provides today for advertising service IPs
      • Asymmetric Integrated Routing and Bridging (IRB) with EVPN

      Background

      BGP

      Importing Routes from the Provider Network
      Today in OpenShift there is no API for a user to be able to configure routes into OVN. In order for a user to change how cluster traffic is routed egress into the cluster, the user leverages local gateway mode, which forces egress traffic to hop through the Linux host's networking stack, where a user can configure routes inside of the host via NM State. This manual configuration would need to be performed and maintained across nodes and VRFs within each node.

      Additionally, if a user chooses to not manage routes within the host and use local gateway mode, then by default traffic is always sent to the default gateway. The only other way to affect egress routing is by using the Multiple External Gateways (MEG) feature. With this feature the user may choose to have multiple different egress gateways per namespace to send traffic to.

      As an alternative, configuring BGP peers and which route-targets to import would eliminate the need to manually configure routes in the host, and would allow dynamic routing updates based on changes in the provider’s network.

      Exporting Routes into the Provider Network
      There exists a need for provider networks to learn routes directly to services and pods today in Kubernetes. Metal LB is already one solution whereby load balancer IPs are advertised by BGP to provider networks, and this feature development does not intend to duplicate or replace the function of Metal LB. Metal LB should be able to interoperate with OVN-Kubernetes, and be responsible for advertising services to a provider’s network.

      However, there is an alternative need to advertise pod IPs on the provider network. One use case is integration with 3rd party load balancers, where they terminate a load balancer and then send packets directly to OCP nodes with the destination IP address being the pod IP itself. Today these load balancers rely on custom operators to detect which node a pod is scheduled to and then add routes into its load balancer to send the packet to the right node.

      By integrating BGP and advertising the pod subnets/addresses directly on the provider network, load balancers and other entities on the network would be able to reach the pod IPs directly.

      EVPN (to be integrated with BGP in a follow-on release targeting 4.18)

      Extending OVN-Kubernetes VRFs into the Provider Network
      This is the most powerful motivation for bringing support of EVPN into OVN-Kubernetes. A previous development effort enabled the ability to create a network per namespace (VRF) in OVN-Kubernetes, allowing users to create multiple isolated networks for namespaces of pods. However, the VRFs terminate at node egress, and routes are leaked from the default VRF so that traffic is able to route out of the OCP node. With EVPN, we can now extend the VRFs into the provider network using a VPN. This unlocks the ability to have L3VPNs that extend across the provider networks.

      Utilizing the EVPN Fabric as the Overlay for OVN-Kubernetes
      In addition to extending VRFs to the outside world for ingress and egress, we can also leverage EVPN to handle extending VRFs into the fabric for east/west traffic. This is useful in EVPN DC deployments where EVPN is already being used in the TOR network, and there is no need to use a Geneve overlay. In this use case, both layer 2 (MAC-VRFs) and layer 3 (IP-VRFs) can be advertised directly to the EVPN fabric. One advantage of doing this is that with Layer 2 networks, broadcast, unknown-unicast and multicast (BUM) traffic is suppressed across the EVPN fabric. Therefore the flooding domain in L2 networks for this type of traffic is limited to the node.

      Multi-homing, Link Redundancy, Fast Convergence
      Extending the EVPN fabric to OCP nodes brings other added benefits that are not present in OCP natively today. In this design there are at least 2 physical NICs and links leaving the OCP node to the EVPN leaves. This provides link redundancy, and when coupled with BFD and mass withdrawal, it can also provide fast failover. Additionally, the links can be used by the EVPN fabric to utilize ECMP routing.

      Customer Considerations

      • For customers using MetalLB, it will continue to function correctly regardless of this development.

      Documentation Considerations

      Interoperability Considerations

      • Multiple External Gateways (MEG)
      • Egress IP
      • Services
      • Egress Service
      • Egress Firewall
      • Egress QoS

              mcurry@redhat.com Marc Curry
              mcurry@redhat.com Marc Curry
              Tim Rozet Tim Rozet
              Weibin Liang Weibin Liang
              Ashley Hardin Ashley Hardin
              Tim Rozet Tim Rozet
              Tim Rozet Tim Rozet
              Marc Curry Marc Curry
              Chris Fields Chris Fields
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: