Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 5. Assigning a secondary network to a VRF
As a cluster administrator, you can configure a secondary network for a virtual routing and forwarding (VRF) domain by using the CNI VRF plugin. The virtual network that this plugin creates is associated with the physical interface that you specify.
Using a secondary network with a VRF instance has the following advantages:
- Workload isolation
- Isolate workload traffic by configuring a VRF instance for the secondary network.
- Improved security
- Enable improved security through isolated network paths in the VRF domain.
- Multi-tenancy support
- Support multi-tenancy through network segmentation with a unique routing table in the VRF domain for each tenant.
				Applications that use VRFs must bind to a specific device. The common usage is to use the SO_BINDTODEVICE option for a socket. The SO_BINDTODEVICE option binds the socket to the device that is specified in the passed interface name, for example, eth1. To use the SO_BINDTODEVICE option, the application must have CAP_NET_RAW capabilities.
			
				Using a VRF through the ip vrf exec command is not supported in OpenShift Container Platform pods. To use VRF, bind applications directly to the VRF interface.
			
5.1. Creating a secondary network attachment with the CNI VRF plugin
				The Cluster Network Operator (CNO) manages secondary network definitions. When you specify a secondary network to create, the CNO creates the NetworkAttachmentDefinition custom resource (CR) automatically.
			
					Do not edit the NetworkAttachmentDefinition CRs that the Cluster Network Operator manages. Doing so might disrupt network traffic on your secondary network.
				
To create a secondary network attachment with the CNI VRF plugin, perform the following procedure.
Prerequisites
- Install the OpenShift Container Platform CLI (oc).
- Log in to the OpenShift cluster as a user with cluster-admin privileges.
Procedure
- Create the - Networkcustom resource (CR) for the additional network attachment and insert the- rawCNIConfigconfiguration for the secondary network, as in the following example CR. Save the YAML as the file- additional-network-attachment.yaml.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- pluginsmust be a list. The first item in the list must be the secondary network underpinning the VRF network. The second item in the list is the VRF plugin configuration.
- 2
- typemust be set to- vrf.
- 3
- vrfnameis the name of the VRF that the interface is assigned to. If it does not exist in the pod, it is created.
- 4
- Optional.tableis the routing table ID. By default, thetableidparameter is used. If it is not specified, the CNI assigns a free routing table ID to the VRF.
 Note- VRF functions correctly only when the resource is of type - netdevice.
- Create the - Networkresource:- oc create -f additional-network-attachment.yaml - $ oc create -f additional-network-attachment.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the CNO created the - NetworkAttachmentDefinitionCR by running the following command. Replace- <namespace>with the namespace that you specified when configuring the network attachment, for example,- additional-network-1. The expected output shows the name of the NAD CR and the creation age in minutes.- oc get network-attachment-definitions -n <namespace> - $ oc get network-attachment-definitions -n <namespace>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- There might be a delay before the CNO creates the CR. 
Verification
- Create a pod and assign it to the secondary network with the VRF instance: - Create a YAML file that defines the - Podresource:- Example - pod-additional-net.yamlfile- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name of the secondary network with the VRF instance.
 
- Create the - Podresource by running the following command. The expected output shows the name of the- Podresource and the creation age in minutes.- oc create -f pod-additional-net.yaml - $ oc create -f pod-additional-net.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Verify that the pod network attachment is connected to the VRF secondary network. Start a remote session with the pod and run the following command. The expected output shows the name of the VRF interface and its unique ID in the routing table. - ip vrf show - $ ip vrf show- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the VRF interface is the controller for the secondary interface: - ip link - $ ip link- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 5: net1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP mode - 5: net1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP mode- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow