Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 5. Configuring namespaced SR-IOV resources

Namespaced SriovNetwork Resources allow application owners to create and manage their own SriovNetwork resources directly within their namespaces, rather than relying on a cluster administrator to do it in a shared operator namespace. This method simplifies permissions, improves security, and provides better separation between applications.

5.1. An introduction to namespaced SriovNetwork resources
Copier lien

SR-IOV networks can be created and managed directly within application namespaces. This capability provides application owners with fine-grained control over network configurations, simplifying their workflow.

This approach offers several key advantages that enhance the user experience:

  • Increased Autonomy and Control: Application owners gain direct control over their network configurations, eliminating the need for a cluster administrator to create SriovNetwork objects on their behalf.
  • Enhanced Security: By allowing users to manage resources within their own namespaces, the feature improves security and provides better separation between applications. This also helps avoid the unintentional misconfiguration of other applications' NetworkAttachmentDefinition objects.
  • Simplified Permissions: Managing SriovNetwork resources directly in their own namespaces simplifies user permissions. This streamlines the workflow and reduces the operational overhead for developers.

5.1.1. Configuring SriovNetwork in application namespaces
Copier lien

When an SriovNetwork custom resource (CR) is deployed in an application namespace, do not define or populate the spec.networkNamespace field. In this scenario, the NetworkAttachmentDefinition will be created in the same namespace as the SriovNetwork CR.

The SR-IOV Network Operator webhook rejects the creation of an SriovNetwork resource in an application namespace if the spec.networkNamespace field is defined.

Follow this procedure to create an SriovNetwork resource in an application namespace and attach a pod to the additional network.

Prerequisites

The following steps must be completed by a cluster administrator before an application owner can configure a namespaced SriovNetwork resource:

  • The SR-IOV Network Operator is installed in the openshift-sriov-network-operator namespace.
  • Nodes with SR-IOV hardware are labeled for the operator to identify the nodes.

As an application owner you need to have administrator privileges on the application namespace.

Procedure

  1. Specify the SR-IOV network device configuration for a node by creating an SR-IOV network node policy. The SriovNetworkNodePolicy object is created in the openshift-sriov-network-operator namespace to define the SR-IOV network device configuration for nodes. Example configuration for Intel DPK is as follows: 

    apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: intel-dpdk-node-policy
  namespace: openshift-sriov-network-operator
spec:
  resourceName: intelnics
  nodeSelector:
    feature.node.kubernetes.io/network-sriov.capable: "true"
  priority: 10
  numVfs: 4
  nicSelector:
    vendor: "8086"
    deviceID: "158b"
    pfNames: [""]
  deviceType: netdevice
    Copy to Clipboard Toggle word wrap

  2. Create an application namespace. For example, create a namespace named sriov-app by running the following command: 

    $ cat <<EOF | oc create -f -
apiVersion: v1
kind: Namespace
metadata:
    name: sriov-app
EOF
    Copy to Clipboard Toggle word wrap

  3. Create a YAML file, for example, sriovnetwork.yaml, to define the SriovNetwork object in the application namespace. 

    apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetwork
metadata:
  name: test-network
  namespace: sriov-app
spec:
  resourceName: intelnics
  ipam:
    type: host-local
    subnet: "10.0.0.0/24"
    routes:
      - dst: "0.0.0.0/0"
        gw: "10.0.0.1"
  vlan: 10
    Copy to Clipboard Toggle word wrap
    • namespace: The value must match the name of the application namespace, for example, sriov-app.
    • resourceName: This value must match the spec.resourceName defined in the SriovNetworkNodePolicy created by the cluster administrator, which in the example is intelnics.

  4. Apply the YAML file to create the SriovNetwork object in the application namespace. 

    $ oc create -f sriovnetwork.yaml
    Copy to Clipboard Toggle word wrap

    After an application owner has created the SriovNetwork resource, they can create a pod that uses the newly defined network. You attach a pod to the additional network by adding a specific annotation to the pod’s YAML manifest.

  5. Create a YAML file, for example, test-pod.yaml, to define a pod that uses the new network attachment: 

    apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: sriov-app
  annotations:
    k8s.v1.cni.cncf.io/networks: test-network
spec:
  containers:
  - name: test-pod-container
    image: centos/tools
    command: ["/bin/bash", "-c", "sleep 3600"]
    Copy to Clipboard Toggle word wrap
    • namespace: The namespace where the pod is created. This must be the same namespace where the SriovNetwork object is created.
    • annotations: k8s.v1.cni.cncf.io/networks specifies the additional network that the pod connects to. The value must match the metadata.name of the SriovNetwork object.

  6. Apply the YAML file to create the pod in the application namespace by running the following command: 

    $ oc create -f test-pod.yaml
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the NetworkAttachmentDefinition has been created in the same namespace by running the following command: 

    $ oc get net-attach-def -n sriov-app
    Copy to Clipboard Toggle word wrap

    Where sriov-app is the application namespace where the SriovNetwork object is created.

    Example output

    NAME           AGE
test-network   2m
    Copy to Clipboard Toggle word wrap

  2. Verify the pod is running and get its network status by describing the pod with the following command: 

    $ oc describe pod test-pod -n sriov-app
    Copy to Clipboard Toggle word wrap

    Where sriov-app is the application namespace where the pod is created.

    In the output, look for the k8s.v1.cni.cncf.io/network-status annotation. This shows the name of the network and the IP assigned to the pod on that interface.

  3. Check that the pod has the additional network interface by running the following command: 

    $ oc exec -it test-pod -n sriov-app -- ip a
    Copy to Clipboard Toggle word wrap

    Look for a secondary network interface, for example net1 or eth1, in addition to the default eth0 interface. The net1 interface should have an IP address from the subnet you defined in the SriovNetwork object, for example 10.0.0.0/24. This confirms the pod is using the new network attachment definition.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat