红帽全球峰会5.3. 在 RHOSO 上为 BGP 网络准备 RHOCP
Red Hat OpenStack Services on OpenShift (RHOSO)服务作为 Red Hat OpenShift Container Platform (RHOCP)工作负载运行。您可以使用 NMState Operator 将 worker 节点连接到所需的隔离网络。您可以使用 MetalLB Operator 在隔离的网络上公开内部服务端点。默认情况下,公共服务端点作为 RHOCP 路由公开。
以下流程中的示例使用 IPv4 地址。您可以使用 IPv6 地址而不是 IPv4 地址。双堆栈 IPv4/6 不可用。有关如何配置 IPv6 地址的详情,请参考 RHOCP 网络指南中的以下资源 :
5.3.1. 在 RHOCP 节点的 BGP 接口上禁用 rcp_filter
要让 Red Hat OpenShift Container Platform (RHOCP) worker 节点根据它们接收的 BGP 公告转发流量,您必须在运行 RHOSO 服务的 RHOCP worker 节点上禁用反向路径过滤器。
流程
创建名为
tuned.yaml的清单文件,其内容类似如下:apiVersion: tuned.openshift.io/v1 kind: Tuned metadata: name: default namespace: openshift-cluster-node-tuning-operator spec: profile: - data: | [main] summary=Optimize systems running OpenShift (provider specific parent profile) include=-provider-${f:exec:cat:/var/lib/ocp-tuned/provider},openshift [sysctl] net.ipv4.conf.enp8s0.rp_filter=0 net.ipv4.conf.enp9s0.rp_filter=0 name: openshift recommend: - match: - label: kubernetes.io/hostname value: worker-0 - label: kubernetes.io/hostname value: worker-1 - label: kubernetes.io/hostname value: worker-2 - label: node-role.kubernetes.io/master operand: tunedConfig: reapply_sysctl: false priority: 15 profile: openshift-no-reapply-sysctl status: {}保存文件并创建
Tuned资源:$ oc create -f tuned.yaml
5.3.2. 使用 BGP 的隔离网络接口准备 RHOCP
创建一个 NodeNetworkConfigurationPolicy (nncp)自定义资源(CR),以便在 Red Hat OpenShift Container Platform (RHOCP)集群中的每个 worker 节点上为每个隔离网络配置接口。
流程
-
在工作站上创建一个
NodeNetworkConfigurationPolicy(nncp) CR 文件,例如openstack-nncp-bgp.yaml。 检索 RHOCP 集群中 worker 节点的名称:
$ oc get nodes -l node-role.kubernetes.io/worker -o jsonpath="{.items[*].metadata.name}"发现网络配置:
$ oc get nns/<worker_node> -o yaml | more-
将
<worker_node> 替换为在第 2 步中获取的 worker 节点的名称,如worker-1。为每个 worker 节点重复此步骤。
-
将
在
nncpCR 文件中,在 RHOCP 集群中每个 worker 节点上为每个隔离网络配置接口。有关必须配置网络隔离的默认物理数据中心网络的信息,请参阅 OpenShift 网络上的默认 Red Hat OpenStack Services for BGP。在以下示例中,
nncpCR 配置用于映射 Red Hat OpenStack Services on OpenShift (RHOSO)网络的多个未连接的网桥。您可以使用 BGP 接口与网络光纤对等,并建立连接。环回接口配置了 BGP 网络源地址99.99.0.x。您可以选择将 NIC 专用于ctlplane网络。apiVersion: nmstate.io/v1 kind: NodeNetworkConfigurationPolicy metadata: labels: osp/nncm-config-type: standard name: worker-0 namespace: openstack spec: desiredState: dns-resolver: config: search: [] server: - 192.168.122.1 interfaces: - description: internalapi bridge mtu: 1500 name: internalapi state: up type: linux-bridge - description: storage bridge mtu: 1500 name: storage state: up type: linux-bridge - description: tenant bridge mtu: 1500 name: tenant state: up type: linux-bridge - description: ctlplane bridge mtu: 1500 name: ospbr state: up type: linux-bridge - description: BGP interface 1 ipv4: address: - ip: 100.64.0.14 prefix-length: "30" dhcp: false enabled: true ipv6: enabled: false mtu: 1500 name: enp8s0 state: up type: ethernet - description: BGP interface 2 ipv4: address: - ip: 100.65.0.14 prefix-length: "30" dhcp: false enabled: true ipv6: enabled: false mtu: 1500 name: enp9s0 state: up type: ethernet - description: loopback interface ipv4: address: - ip: 99.99.0.3 prefix-length: "32" dhcp: false enabled: true mtu: 65536 name: lo state: up route-rules: config: [] routes: config: - destination: 99.99.0.0/16 next-hop-address: 100.64.0.13 next-hop-interface: enp8s0 - destination: 99.99.0.0/16 next-hop-address: 100.65.0.13 next-hop-interface: enp9s0 nodeSelector: kubernetes.io/hostname: worker-0 node-role.kubernetes.io/worker: ""在集群中创建
nncpCR:$ oc apply -f openstack-nncp-bgp.yaml验证
nncpCR 是否已创建:$ oc get nncp -w NAME STATUS REASON osp-enp6s0-worker-1 Progressing ConfigurationProgressing osp-enp6s0-worker-1 Progressing ConfigurationProgressing osp-enp6s0-worker-1 Available SuccessfullyConfigured
5.3.3. 将服务 pod 附加到 BGP 的隔离网络
为每个隔离网络创建一个 NetworkAttachmentDefinition (net-attach-def)自定义资源(CR),以将服务 pod 附加到网络。
流程
-
在工作站上创建一个
NetworkAttachmentDefinition(net-attach-def) CR 文件,如openstack-net-attach-def.yaml。 在
NetworkAttachmentDefinitionCR 文件中,为每个隔离网络配置NetworkAttachmentDefinition资源,以将服务部署 pod 附加到网络。以下示例创建一个NetworkAttachmentDefinition资源,它使用带有特定网关配置和其他选项的类型网桥接口:apiVersion: k8s.cni.cncf.io/v1 kind: NetworkAttachmentDefinition metadata: labels: osp/net: internalapi osp/net-attach-def-type: standard name: internalapi namespace: openstack1 spec: config: | { "cniVersion": "0.3.1", "name": "internalapi",2 "type": "bridge", "isDefaultGateway": true, "isGateway": true, "forceAddress": false, "ipMasq": true, "hairpinMode": true, "bridge": "internalapi", "ipam": {3 "type": "whereabouts", "range": "172.17.0.0/24", "range_start": "172.17.0.30",4 "range_end": "172.17.0.70", "gateway": "172.17.0.1" } }在集群中创建
NetworkAttachmentDefinitionCR:$ oc apply -f openstack-net-attach-def.yaml验证
NetworkAttachmentDefinitionCR 是否已创建:$ oc get net-attach-def -n openstack
5.3.4. 为 BGP 为 RHOSO 网络 VIPS 准备 RHOCP
您必须创建 BGPPeer 自定义资源(CR)对,以定义哪个叶交换机连接到每个节点上的 eth2 和 eth3 接口。例如,worker-0 有两个 BGPPeer CR,一个用于 leaf-0,一个用于 leaf-1。有关 BGP 对等点的详情,请参考 link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/ingress_and_load_balancing/load-balancing-with-metallb#nw-metallb-configure-bgppeer_configure-metallb-bgp-peers [配置 BGP peer]。
您还必须创建 IPAddressPool CR 来定义要公告的网络范围,以及一个 BGPAdvertisement CR,用于定义如何声明 BGPPeer CR,并将 IPAddressPool CR 链接到接收广告的 BGPPeer CR。
流程
-
在工作站上创建一个
BGPPeerCR 文件,如bgppeers.yaml。 将每个节点的
BGPPeerCR 对配置为 peer。以下示例为worker-0节点配置两个BGPPeerCR,一个用于 leaf-0,一个用于 leaf-1 :apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: name: bgp-peer-node-0-0 namespace: metallb-system spec: myASN: 64999 nodeSelectors: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - worker-0 password: r3dh4t1234 peerASN: 64999 peerAddress: 100.64.0.13 --- apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: name: bgp-peer-node-0-1 namespace: metallb-system spec: myASN: 64999 nodeSelectors: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - worker-0 password: r3dh4t1234 peerASN: 64999 peerAddress: 100.65.0.13创建 BGPPeer CR:
$ oc create -f bgppeers.yaml-
在工作站上创建一个
IPAddressPoolCR 文件,例如ipaddresspools-bgp.yaml。 在
IPAddressPoolCR 文件中,在每个隔离网络上配置IPAddressPool资源,以指定 MetalLB 具有授权的 IP 地址范围:apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: ctlplane namespace: metallb-system spec: addresses: - 192.168.125.80-192.168.125.901 --- apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: internalapi namespace: metallb-system spec: addresses: - 172.17.0.80-172.17.0.90- 1
IPAddressPool范围不得与whereaboutsIPAM 范围和 NetConfigallocationRange重叠。
有关如何配置其他
IPAddressPool资源参数的详情,请参考 RHOCP 网络概述 中配置 MetalLB BGP 对等点。在集群中创建
IPAddressPoolCR:$ oc apply -f ipaddresspools-bgp.yaml验证
IPAddressPoolCR 是否已创建:$ oc describe -n metallb-system IPAddressPool在工作站上创建一个
BGPAdvertisementCR 文件,如bgpadvert.yaml。apiVersion: metallb.io/v1beta1 kind: BGPAdvertisement metadata: name: bgpadvertisement namespace: metallb-system spec: ipAddressPools: - ctlplane - internalapi - storage - tenant peers:1 - bgp-peer-node-0-0 - bgp-peer-node-0-1 - bgp-peer-node-1-0 - bgp-peer-node-1-1 - bgp-peer-node-2-0 - bgp-peer-node-2-1 ...- 1
- 列出您为每个 RHOCP 节点需要与之通信的对等 IP 地址定义的所有
BGPPeerCR。
在集群中创建
BGPAdvertisementCR:$ oc apply -f bgpadvert.yaml如果您的集群将 OVNKubernetes 用作网络后端,则必须启用全局转发,以便 MetalLB 可以在二级网络接口中工作。
检查集群使用的网络后端:
$ oc get network.operator cluster --output=jsonpath='{.spec.defaultNetwork.type}'如果后端是 OVNKubernetes,则运行以下命令来启用全局 IP 转发:
$ oc patch network.operator cluster -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"ipForwarding": "Global"}}}}}' --type=merge
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}