Attaching a virtual machine to a Linux bridge network
By default, OKD Virtualization is installed with a single, internal pod network.
You must create a Linux bridge network attachment definition (NAD) in order to connect to additional networks.
To attach a virtual machine to an additional network:
Create a Linux bridge node network configuration policy.
Create a Linux bridge network attachment definition.
Configure the virtual machine, enabling the virtual machine to recognize the network attachment definition.
For more information about scheduling, interface types, and other node networking activities, see the node networking section.
Connecting to the network through the network attachment definition
Creating a Linux bridge node network configuration policy
Use a NodeNetworkConfigurationPolicy
manifest YAML file to create the Linux bridge.
Procedure
Create the
NodeNetworkConfigurationPolicy
manifest. This example includes sample values that you must replace with your own information.apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
name: br1-eth1-policy (1)
spec:
desiredState:
interfaces:
- name: br1 (2)
description: Linux bridge with eth1 as a port (3)
type: linux-bridge (4)
state: up (5)
ipv4:
enabled: false (6)
bridge:
options:
stp:
enabled: false (7)
port:
- name: eth1 (8)
1 Name of the policy. 2 Name of the interface. 3 Optional: Human-readable description of the interface. 4 The type of interface. This example creates a bridge. 5 The requested state for the interface after creation. 6 Disables IPv4 in this example. 7 Disables STP in this example. 8 The node NIC to which the bridge is attached.
Creating a Linux bridge network attachment definition
Configuring IP address management (IPAM) in a network attachment definition for virtual machines is not supported. |
Creating a Linux bridge network attachment definition in the web console
Network administrators can create network attachment definitions to provide layer-2 networking to pods and virtual machines.
Procedure
In the web console, click Networking → Network Attachment Definitions.
Click Create Network Attachment Definition.
The network attachment definition must be in the same namespace as the pod or virtual machine.
Enter a unique Name and optional Description.
Click the Network Type list and select CNV Linux bridge.
Enter the name of the bridge in the Bridge Name field.
Optional: If the resource has VLAN IDs configured, enter the ID numbers in the VLAN Tag Number field.
Optional: Select MAC Spoof Check to enable MAC spoof filtering. This feature provides security against a MAC spoofing attack by allowing only a single MAC address to exit the pod.
Click Create.
A Linux bridge network attachment definition is the most efficient method for connecting a virtual machine to a VLAN.
Creating a Linux bridge network attachment definition in the CLI
As a network administrator, you can configure a network attachment definition of type cnv-bridge
to provide layer-2 networking to pods and virtual machines.
Prerequisites
- The node must support nftables and the
nft
binary must be deployed to enable MAC spoof check.
Procedure
Create a network attachment definition in the same namespace as the virtual machine.
Add the virtual machine to the network attachment definition, as in the following example:
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: <bridge-network> (1)
annotations:
k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/<bridge-interface> (2)
spec:
config: '{
"cniVersion": "0.3.1",
"name": "<bridge-network>", (3)
"type": "cnv-bridge", (4)
"bridge": "<bridge-interface>", (5)
"macspoofchk": true, (6)
"vlan": 1 (7)
}'
1 The name for the NetworkAttachmentDefinition
object.2 Optional: Annotation key-value pair for node selection, where bridge-interface
must match the name of a bridge configured on some nodes. If you add this annotation to your network attachment definition, your virtual machine instances will only run on the nodes that have thebridge-interface
bridge connected.3 The name for the configuration. It is recommended to match the configuration name to the name
value of the network attachment definition.4 The actual name of the Container Network Interface (CNI) plug-in that provides the network for this network attachment definition. Do not change this field unless you want to use a different CNI. 5 The name of the Linux bridge configured on the node. 6 Optional: Flag to enable MAC spoof check. When set to true
, you cannot change the MAC address of the pod or guest interface. This attribute provides security against a MAC spoofing attack by allowing only a single MAC address to exit the pod.7 Optional: The VLAN tag. No additional VLAN configuration is required on the node network configuration policy. A Linux bridge network attachment definition is the most efficient method for connecting a virtual machine to a VLAN.
Create the network attachment definition:
$ oc create -f <network-attachment-definition.yaml> (1)
1 Where <network-attachment-definition.yaml>
is the file name of the network attachment definition manifest.
Verification
Verify that the network attachment definition was created by running the following command:
$ oc get network-attachment-definition <bridge-network>
Configuring the virtual machine for a Linux bridge network
Creating a NIC for a virtual machine in the web console
Create and attach additional NICs to a virtual machine from the web console.
Prerequisites
- A network attachment definition must be available.
Procedure
In the correct project in the OKD console, click Virtualization → VirtualMachines from the side menu.
Select a virtual machine to open the VirtualMachine details page.
Click the Network Interfaces tab to view the NICs already attached to the virtual machine.
Click Add Network Interface to create a new slot in the list.
Select a network attachment definition from the Network list for the additional network.
Fill in the Name, Model, Type, and MAC Address for the new NIC.
Click Save to save and attach the NIC to the virtual machine.
Networking fields
Name | Description |
---|---|
Name | Name for the network interface controller. |
Model | Indicates the model of the network interface controller. Supported values are e1000e and virtio. |
Network | List of available network attachment definitions. |
Type | List of available binding methods. Select the binding method suitable for the network interface:
|
MAC Address | MAC address for the network interface controller. If a MAC address is not specified, one is assigned automatically. |
Attaching a virtual machine to an additional network in the CLI
Attach a virtual machine to an additional network by adding a bridge interface and specifying a network attachment definition in the virtual machine configuration.
This procedure uses a YAML file to demonstrate editing the configuration and applying the updated file to the cluster. You can alternatively use the oc edit <object> <name>
command to edit an existing virtual machine.
Prerequisites
- Shut down the virtual machine before editing the configuration. If you edit a running virtual machine, you must restart the virtual machine for the changes to take effect.
Procedure
Create or edit a configuration of a virtual machine that you want to connect to the bridge network.
Add the bridge interface to the
spec.template.spec.domain.devices.interfaces
list and the network attachment definition to thespec.template.spec.networks
list. This example adds a bridge interface calledbridge-net
that connects to thea-bridge-network
network attachment definition:apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
name: <example-vm>
spec:
template:
spec:
domain:
devices:
interfaces:
- masquerade: {}
name: <default>
- bridge: {}
name: <bridge-net> (1)
...
networks:
- name: <default>
pod: {}
- name: <bridge-net> (2)
multus:
networkName: <network-namespace>/<a-bridge-network> (3)
...
1 The name of the bridge interface. 2 The name of the network. This value must match the name
value of the correspondingspec.template.spec.domain.devices.interfaces
entry.3 The name of the network attachment definition, prefixed by the namespace where it exists. The namespace must be either the default
namespace or the same namespace where the VM is to be created. In this case,multus
is used. Multus is a cloud network interface (CNI) plug-in that allows multiple CNIs to exist so that a pod or virtual machine can use the interfaces it needs.Apply the configuration:
$ oc apply -f <example-vm.yaml>
Optional: If you edited a running virtual machine, you must restart it for the changes to take effect.