Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 5. Cluster Network Operator in OpenShift Container Platform

You can use the Cluster Network Operator (CNO) to deploy and manage cluster network components on an OpenShift Container Platform cluster, including the Container Network Interface (CNI) network plugin selected for the cluster during installation.

5.1. Cluster Network Operator
Link kopieren

The Cluster Network Operator implements the 

network
API from the 
operator.openshift.io
API group. The Operator deploys the OVN-Kubernetes network plugin, or the network provider plugin that you selected during cluster installation, by using a daemon set.

Procedure

The Cluster Network Operator is deployed during installation as a Kubernetes 

Deployment
.

  1. Run the following command to view the Deployment status: 

    $ oc get -n openshift-network-operator deployment/network-operator

    Example output

    NAME               READY   UP-TO-DATE   AVAILABLE   AGE
network-operator   1/1     1            1           56m

  2. Run the following command to view the state of the Cluster Network Operator: 

    $ oc get clusteroperator/network

    Example output

    NAME      VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
network   4.5.4     True        False         False      50m

    The following fields provide information about the status of the operator: 

    AVAILABLE
    , 
    PROGRESSING
    , and 
    DEGRADED
    . The 
    AVAILABLE
    field is 
    True
    when the Cluster Network Operator reports an available status condition.

5.2. Viewing the cluster network configuration
Link kopieren

Every new OpenShift Container Platform installation has a 

network.config
object named 
cluster
.

Procedure

  • Use the 

    oc describe
    command to view the cluster network configuration: 

    $ oc describe network.config/cluster

    Example output

    Name:         cluster
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  config.openshift.io/v1
Kind:         Network
Metadata:
  Self Link:           /apis/config.openshift.io/v1/networks/cluster
Spec:
    1 
    
  Cluster Network:
    Cidr:         10.128.0.0/14
    Host Prefix:  23
  Network Type:   OVNKubernetes
  Service Network:
    172.30.0.0/16
Status:
    2 
    
  Cluster Network:
    Cidr:               10.128.0.0/14
    Host Prefix:        23
  Cluster Network MTU:  8951
  Network Type:         OVNKubernetes
  Service Network:
    172.30.0.0/16
Events:  <none>

    1
    The Spec field displays the configured state of the cluster network.
    2
    The Status field displays the current state of the cluster network configuration.

5.3. Viewing Cluster Network Operator status
Link kopieren

You can inspect the status and view the details of the Cluster Network Operator using the 

oc describe
command.

Procedure

  • Run the following command to view the status of the Cluster Network Operator: 

    $ oc describe clusteroperators/network

5.4. Viewing Cluster Network Operator logs
Link kopieren

You can view Cluster Network Operator logs by using the 

oc logs
command.

Procedure

  • Run the following command to view the logs of the Cluster Network Operator: 

    $ oc logs --namespace=openshift-network-operator deployment/network-operator

5.5. Cluster Network Operator configuration
Link kopieren

The configuration for the cluster network is specified as part of the Cluster Network Operator (CNO) configuration and stored in a custom resource (CR) object that is named 

cluster
. The CR specifies the fields for the 
Network
API in the 
operator.openshift.io
API group.

The CNO configuration inherits the following fields during cluster installation from the 

Network
API in the 
Network.config.openshift.io
API group and these fields cannot be changed:

clusterNetwork
IP address pools from which pod IP addresses are allocated.
serviceNetwork
IP address pool for services.
defaultNetwork.type
Cluster network plugin, such as OpenShift SDN or OVN-Kubernetes.
Note

After cluster installation, you cannot modify the fields listed in the previous section.

You can specify the cluster network plugin configuration for your cluster by setting the fields for the 

defaultNetwork
object in the CNO object named 
cluster
.

5.5.1. Cluster Network Operator configuration object
Link kopieren

The fields for the Cluster Network Operator (CNO) are described in the following table:

Expand
Table 5.1. Cluster Network Operator configuration object
FieldTypeDescription

metadata.name
 

string

The name of the CNO object. This name is always 

cluster
. 

spec.clusterNetwork
 

array

A list specifying the blocks of IP addresses from which pod IP addresses are allocated and the subnet prefix length assigned to each individual node in the cluster. For example: 

spec:
  clusterNetwork:
  - cidr: 10.128.0.0/19
    hostPrefix: 23
  - cidr: 10.128.32.0/19
    hostPrefix: 23

This value is ready-only and inherited from the 

Network.config.openshift.io
object named 
cluster
during cluster installation. 

spec.serviceNetwork
 

array

A block of IP addresses for services. The OpenShift SDN and OVN-Kubernetes network plugins support only a single IP address block for the service network. For example: 

spec:
  serviceNetwork:
  - 172.30.0.0/14

This value is ready-only and inherited from the 

Network.config.openshift.io
object named 
cluster
during cluster installation. 

spec.defaultNetwork
 

object

Configures the network plugin for the cluster network. 

spec.kubeProxyConfig
 

object

The fields for this object specify the kube-proxy configuration. If you are using the OVN-Kubernetes cluster network plugin, the kube-proxy configuration has no effect.

Important

For a cluster that needs to deploy objects across multiple networks, ensure that you specify the same value for the 

clusterNetwork.hostPrefix
parameter for each network type that is defined in the 
install-config.yaml
file. Setting a different value for each 
clusterNetwork.hostPrefix
parameter can impact the OVN-Kubernetes network plugin, where the plugin cannot effectively route object traffic among different nodes.

defaultNetwork object configuration

The values for the 

defaultNetwork
object are defined in the following table:

Expand
Table 5.2. defaultNetwork object
FieldTypeDescription

type
 

string

Either 

OpenShiftSDN
or 
OVNKubernetes
. The Red Hat OpenShift Networking network plugin is selected during installation. This value cannot be changed after cluster installation.

Note

OpenShift Container Platform uses the OVN-Kubernetes network plugin by default. 

openshiftSDNConfig
 

object

This object is only valid for the OpenShift SDN network plugin. 

ovnKubernetesConfig
 

object

This object is only valid for the OVN-Kubernetes network plugin.

Configuration for the OpenShift SDN network plugin

The following table describes the configuration fields for the OpenShift SDN network plugin:

Expand
Table 5.3. openshiftSDNConfig object
FieldTypeDescription

mode
 

string

The network isolation mode for OpenShift SDN. 

mtu
 

integer

The maximum transmission unit (MTU) for the VXLAN overlay network. This value is normally configured automatically. 

vxlanPort
 

integer

The port to use for all VXLAN packets. The default value is 

4789
.

Example OpenShift SDN configuration

defaultNetwork:
  type: OpenShiftSDN
  openshiftSDNConfig:
    mode: NetworkPolicy
    mtu: 1450
    vxlanPort: 4789

Configuration for the OVN-Kubernetes network plugin

The following table describes the configuration fields for the OVN-Kubernetes network plugin:

Expand
Table 5.4. ovnKubernetesConfig object
FieldTypeDescription

mtu
 

integer

The maximum transmission unit (MTU) for the Geneve (Generic Network Virtualization Encapsulation) overlay network. This value is normally configured automatically. 

genevePort
 

integer

The UDP port for the Geneve overlay network. 

ipsecConfig
 

object

If the field is present, IPsec is enabled for the cluster. 

policyAuditConfig
 

object

Specify a configuration object for customizing network policy audit logging. If unset, the defaults audit log settings are used. 

gatewayConfig
 

object

Optional: Specify a configuration object for customizing how egress traffic is sent to the node gateway.

Note

While migrating egress traffic, you can expect some disruption to workloads and service traffic until the Cluster Network Operator (CNO) successfully rolls out the changes. 

v4InternalSubnet

If your existing network infrastructure overlaps with the 

100.64.0.0/16
IPv4 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. You must ensure that the IP address range does not overlap with any other subnet used by your OpenShift Container Platform installation. The IP address range must be larger than the maximum number of nodes that can be added to the cluster. For example, if the 
clusterNetwork.cidr
value is 
10.128.0.0/14
and the 
clusterNetwork.hostPrefix
value is 
/23
, then the maximum number of nodes is 
2^(23-14)=512
.

This field cannot be changed after installation.

The default value is 

100.64.0.0/16
. 

v6InternalSubnet

If your existing network infrastructure overlaps with the 

fd98::/48
IPv6 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. You must ensure that the IP address range does not overlap with any other subnet used by your OpenShift Container Platform installation. The IP address range must be larger than the maximum number of nodes that can be added to the cluster.

This field cannot be changed after installation.

The default value is 

fd98::/48
.

Expand
Table 5.5. policyAuditConfig object
FieldTypeDescription

rateLimit

integer

The maximum number of messages to generate every second per node. The default value is 

20
messages per second. 

maxFileSize

integer

The maximum size for the audit log in bytes. The default value is 

50000000
or 50 MB. 

destination

string

One of the following additional audit log targets:

libc
The libc syslog() function of the journald process on the host.
udp:<host>:<port>
A syslog server. Replace <host>:<port> with the host and port of the syslog server.
unix:<file>
A Unix Domain Socket file specified by <file>.
null
Do not send the audit logs to any additional target. 

syslogFacility

string

The syslog facility, such as 

kern
, as defined by RFC5424. The default value is 
local0
.

Expand
Table 5.6. gatewayConfig object
FieldTypeDescription

routingViaHost
 

boolean

Set this field to 

true
to send egress traffic from pods to the host networking stack.

Note

In OpenShift Container Platform 4.12, egress IP is only assigned to the primary interface. Consequentially, setting 

routingViaHost
to 
true
will not work for egress IP in OpenShift Container Platform 4.12.

For highly-specialized installations and applications that rely on manually configured routes in the kernel routing table, you might want to route egress traffic to the host networking stack. By default, egress traffic is processed in OVN to exit the cluster and is not affected by specialized routes in the kernel routing table. The default value is 

false
.

This field has an interaction with the Open vSwitch hardware offloading feature. If you set this field to 

true
, you do not receive the performance benefits of the offloading because egress traffic is processed by the host networking stack.

Note

You can only change the configuration for your cluster network plugin during cluster installation, except for the 

gatewayConfig
field that can be changed at runtime as a postinstallation activity.

Example OVN-Kubernetes configuration with IPSec enabled

defaultNetwork:
  type: OVNKubernetes
  ovnKubernetesConfig:
    mtu: 1400
    genevePort: 6081
    ipsecConfig: {}

kubeProxyConfig object configuration

The values for the 

kubeProxyConfig
object are defined in the following table:

Expand
Table 5.7. kubeProxyConfig object
FieldTypeDescription

iptablesSyncPeriod
 

string

The refresh period for 

iptables
rules. The default value is 
30s
. Valid suffixes include 
s
, 
m
, and 
h
and are described in the Go time package documentation.

Note

Because of performance improvements introduced in OpenShift Container Platform 4.3 and greater, adjusting the 

iptablesSyncPeriod
parameter is no longer necessary. 

proxyArguments.iptables-min-sync-period
 

array

The minimum duration before refreshing 

iptables
rules. This field ensures that the refresh does not happen too frequently. Valid suffixes include 
s
, 
m
, and 
h
and are described in the Go time package. The default value is: 

kubeProxyConfig:
  proxyArguments:
    iptables-min-sync-period:
    - 0s

5.5.2. Cluster Network Operator example configuration
Link kopieren

A complete CNO configuration is specified in the following example:

Example Cluster Network Operator object

apiVersion: operator.openshift.io/v1
kind: Network
metadata:
  name: cluster
spec:
  clusterNetwork:
1 

  - cidr: 10.128.0.0/14
    hostPrefix: 23
  serviceNetwork:
2 

  - 172.30.0.0/16
  defaultNetwork:
3 

    type: OpenShiftSDN
    openshiftSDNConfig:
      mode: NetworkPolicy
      mtu: 1450
      vxlanPort: 4789
  kubeProxyConfig:
    iptablesSyncPeriod: 30s
    proxyArguments:
      iptables-min-sync-period:
      - 0s

1 2 3
Configured only during cluster installation.
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben