Attaching a pod to an additional network
As a cluster user you can attach a pod to an additional network.
Adding a pod to an additional network
You can add a pod to an additional network. The pod continues to send normal cluster-related network traffic over the default network.
When a pod is created additional networks are attached to it. However, if a pod already exists, you cannot attach additional networks to it.
The pod must be in the same namespace as the additional network.
Prerequisites
Install the OpenShift CLI (
oc
).Log in to the cluster.
Procedure
Add an annotation to the
Pod
object. Only one of the following annotation formats can be used:To attach an additional network without any customization, add an annotation with the following format. Replace
<network>
with the name of the additional network to associate with the pod:metadata:
annotations:
k8s.v1.cni.cncf.io/networks: <network>[,<network>,...] (1)
1 To specify more than one additional network, separate each network with a comma. Do not include whitespace between the comma. If you specify the same additional network multiple times, that pod will have multiple network interfaces attached to that network. To attach an additional network with customizations, add an annotation with the following format:
metadata:
annotations:
k8s.v1.cni.cncf.io/networks: |-
[
{
"name": "<network>", (1)
"namespace": "<namespace>", (2)
"default-route": ["<default-route>"] (3)
}
]
1 Specify the name of the additional network defined by a NetworkAttachmentDefinition
object.2 Specify the namespace where the NetworkAttachmentDefinition
object is defined.3 Optional: Specify an override for the default route, such as 192.168.17.1
.
To create the pod, enter the following command. Replace
<name>
with the name of the pod.$ oc create -f <name>.yaml
Optional: To Confirm that the annotation exists in the
Pod
CR, enter the following command, replacing<name>
with the name of the pod.$ oc get pod <name> -o yaml
In the following example, the
example-pod
pod is attached to thenet1
additional network:$ oc get pod example-pod -o yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
k8s.v1.cni.cncf.io/networks: macvlan-bridge
k8s.v1.cni.cncf.io/networks-status: |- (1)
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.128.2.14"
],
"default": true,
"dns": {}
},{
"name": "macvlan-bridge",
"interface": "net1",
"ips": [
"20.2.2.100"
],
"mac": "22:2f:60:a5:f8:00",
"dns": {}
}]
name: example-pod
namespace: default
spec:
...
status:
...
1 The k8s.v1.cni.cncf.io/networks-status
parameter is a JSON array of objects. Each object describes the status of an additional network attached to the pod. The annotation value is stored as a plain text value.
Specifying pod-specific addressing and routing options
When attaching a pod to an additional network, you may want to specify further properties about that network in a particular pod. This allows you to change some aspects of routing, as well as specify static IP addresses and MAC addresses. To accomplish this, you can use the JSON formatted annotations.
Prerequisites
The pod must be in the same namespace as the additional network.
Install the OpenShift CLI (
oc
).You must log in to the cluster.
Procedure
To add a pod to an additional network while specifying addressing and/or routing options, complete the following steps:
Edit the
Pod
resource definition. If you are editing an existingPod
resource, run the following command to edit its definition in the default editor. Replace<name>
with the name of thePod
resource to edit.$ oc edit pod <name>
In the
Pod
resource definition, add thek8s.v1.cni.cncf.io/networks
parameter to the podmetadata
mapping. Thek8s.v1.cni.cncf.io/networks
accepts a JSON string of a list of objects that reference the name ofNetworkAttachmentDefinition
custom resource (CR) names in addition to specifying additional properties.metadata:
annotations:
k8s.v1.cni.cncf.io/networks: '[<network>[,<network>,...]]' (1)
1 Replace <network>
with a JSON object as shown in the following examples. The single quotes are required.In the following example the annotation specifies which network attachment will have the default route, using the
default-route
parameter.apiVersion: v1
kind: Pod
metadata:
name: example-pod
annotations:
k8s.v1.cni.cncf.io/networks: '
{
"name": "net1"
},
{
"name": "net2", (1)
"default-route": ["192.0.2.1"] (2)
}'
spec:
containers:
- name: example-pod
command: ["/bin/bash", "-c", "sleep 2000000000000"]
image: centos/tools
1 The name
key is the name of the additional network to associate with the pod.2 The default-route
key specifies a value of a gateway for traffic to be routed over if no other routing entry is present in the routing table. If more than onedefault-route
key is specified, this will cause the pod to fail to become active.
The default route will cause any traffic that is not specified in other routes to be routed to the gateway.
Setting the default route to an interface other than the default network interface for OKD may cause traffic that is anticipated for pod-to-pod traffic to be routed over another interface. |
To verify the routing properties of a pod, the oc
command may be used to execute the ip
command within a pod.
$ oc exec -it <pod_name> -- ip route
You may also reference the pod’s |
To set a static IP address or MAC address for a pod you can use the JSON formatted annotations. This requires you create networks that specifically allow for this functionality. This can be specified in a rawCNIConfig for the CNO.
Edit the CNO CR by running the following command:
$ oc edit networks.operator.openshift.io cluster
The following YAML describes the configuration parameters for the CNO:
Cluster Network Operator YAML configuration
name: <name> (1)
namespace: <namespace> (2)
rawCNIConfig: '{ (3)
...
}'
type: Raw
1 | Specify a name for the additional network attachment that you are creating. The name must be unique within the specified namespace . |
2 | Specify the namespace to create the network attachment in. If you do not specify a value, then the default namespace is used. |
3 | Specify the CNI plug-in configuration in JSON format, which is based on the following template. |
The following object describes the configuration parameters for utilizing static MAC address and IP address using the macvlan CNI plug-in:
macvlan CNI plug-in JSON configuration object using static IP and MAC address
{
"cniVersion": "0.3.1",
"name": "<name>", (1)
"plugins": [{ (2)
"type": "macvlan",
"capabilities": { "ips": true }, (3)
"master": "eth0", (4)
"mode": "bridge",
"ipam": {
"type": "static"
}
}, {
"capabilities": { "mac": true }, (5)
"type": "tuning"
}]
}
1 | Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace . |
2 | Specifies an array of CNI plug-in configurations. The first object specifies a macvlan plug-in configuration and the second object specifies a tuning plug-in configuration. |
3 | Specifies that a request is made to enable the static IP address functionality of the CNI plug-in runtime configuration capabilities. |
4 | Specifies the interface that the macvlan plug-in uses. |
5 | Specifies that a request is made to enable the static MAC address functionality of a CNI plug-in. |
The above network attachment can be referenced in a JSON formatted annotation, along with keys to specify which static IP and MAC address will be assigned to a given pod.
Edit the pod with:
$ oc edit pod <name>
macvlan CNI plug-in JSON configuration object using static IP and MAC address
apiVersion: v1
kind: Pod
metadata:
name: example-pod
annotations:
k8s.v1.cni.cncf.io/networks: '[
{
"name": "<name>", (1)
"ips": [ "192.0.2.205/24" ], (2)
"mac": "CA:FE:C0:FF:EE:00" (3)
}
]'
1 | Use the <name> as provided when creating the rawCNIConfig above. |
2 | Provide an IP address including the subnet mask. |
3 | Provide the MAC address. |
Static IP addresses and MAC addresses do not have to be used at the same time, you may use them individually, or together. |
To verify the IP address and MAC properties of a pod with additional networks, use the oc
command to execute the ip command within a pod.
$ oc exec -it <pod_name> -- ip a