diff --git a/modules/example-secondary-external-gateway-configurations.adoc b/modules/example-secondary-external-gateway-configurations.adoc new file mode 100644 index 000000000000..b9f06ddaafb2 --- /dev/null +++ b/modules/example-secondary-external-gateway-configurations.adoc @@ -0,0 +1,87 @@ +// Module included in the following assemblies: +// +// * networking/ovn_kubernetes_network_provider/configuring-secondary-external-gateway.adoc + +:_mod-docs-content-type: REFERENCE +[id="example-secondary-external-gateway-configurations_{context}"] += Example secondary external gateway configurations + +[role="_abstract"] +To better understand a secondary external gateway configuration, review the example configurations. + +In the following example, the `AdminPolicyBasedExternalRoute` object configures two static IP addresses as external gateways for pods in namespaces with the `kubernetes.io/metadata.name: novxlan-externalgw-ecmp-4059` label. + +[source,yaml] +---- +apiVersion: k8s.ovn.org/v1 +kind: AdminPolicyBasedExternalRoute +metadata: + name: default-route-policy +spec: + from: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: novxlan-externalgw-ecmp-4059 + nextHops: + static: + - ip: "172.18.0.8" + - ip: "172.18.0.9" +---- + +In the following example, the `AdminPolicyBasedExternalRoute` object configures a dynamic external gateway. The IP addresses used for the external gateway are derived from the additional network attachments associated with each of the selected pods. + +[source,yaml] +---- +apiVersion: k8s.ovn.org/v1 +kind: AdminPolicyBasedExternalRoute +metadata: + name: shadow-traffic-policy +spec: + from: + namespaceSelector: + matchLabels: + externalTraffic: "" + nextHops: + dynamic: + - podSelector: + matchLabels: + gatewayPod: "" + namespaceSelector: + matchLabels: + shadowTraffic: "" + networkAttachmentName: shadow-gateway + - podSelector: + matchLabels: + gigabyteGW: "" + namespaceSelector: + matchLabels: + gatewayNamespace: "" + networkAttachmentName: gateway +---- + +In the following example, the `AdminPolicyBasedExternalRoute` object configures both static and dynamic external gateways. + +[source,yaml] +---- +apiVersion: k8s.ovn.org/v1 +kind: AdminPolicyBasedExternalRoute +metadata: + name: multi-hop-policy +spec: + from: + namespaceSelector: + matchLabels: + trafficType: "egress" + nextHops: + static: + - ip: "172.18.0.8" + - ip: "172.18.0.9" + dynamic: + - podSelector: + matchLabels: + gatewayPod: "" + namespaceSelector: + matchLabels: + egressTraffic: "" + networkAttachmentName: gigabyte +---- diff --git a/modules/nw-secondary-ext-gw-about.adoc b/modules/nw-secondary-ext-gw-about.adoc index 4294f6b4cbf4..5156b0f66d7f 100644 --- a/modules/nw-secondary-ext-gw-about.adoc +++ b/modules/nw-secondary-ext-gw-about.adoc @@ -2,20 +2,21 @@ // // * networking/ovn_kubernetes_network_provider/configuring-secondary-external-gateway.adoc -:_mod-docs-content-type: PROCEDURE +:_mod-docs-content-type: CONCEPT [id="nw-secondary-ext-gw-about_{context}"] = How {product-title} determines the external gateway IP address -You configure a secondary external gateway with the `AdminPolicyBasedExternalRoute` custom resource (CR) from the `k8s.ovn.org` API group. The CR supports static and dynamic approaches to specifying an external gateway's IP address. +[role="_abstract"] +You configure a secondary external gateway with the `AdminPolicyBasedExternalRoute` custom resource (CR) from the `k8s.ovn.org` API group. The CR supports static and dynamic approaches for specifying an IP address for an external gateway. -Each namespace that a `AdminPolicyBasedExternalRoute` CR targets cannot be selected by any other `AdminPolicyBasedExternalRoute` CR. A namespace cannot have concurrent secondary external gateways. - -Changes to policies are isolated in the controller. If a policy fails to apply, changes to other policies do not trigger a retry of other policies. Policies are only re-evaluated, applying any differences that might have occurred by the change, when updates to the policy itself or related objects to the policy such as target namespaces, pod gateways, or namespaces hosting them from dynamic hops are made. +Each namespace that an `AdminPolicyBasedExternalRoute` CR targets cannot be selected by any other `AdminPolicyBasedExternalRoute` CR. A namespace cannot have concurrent secondary external gateways. Policies are re-evaluated when updates occur to the policy itself or to related objects, applying any differences from the changes. Related objects include target namespaces, pod gateways, or the namespaces that host them from dynamic hops. Static assignment:: You specify an IP address directly. Dynamic assignment:: You specify an IP address indirectly, with namespace and pod selectors, and an optional network attachment definition. -+ --- -- If the name of a network attachment definition is provided, the external gateway IP address of the network attachment is used. -- If the name of a network attachment definition is not provided, the external gateway IP address for the pod itself is used. However, this approach works only if the pod is configured with `hostNetwork` set to `true`. --- + +[IMPORTANT] +==== +If the name of a network attachment definition is provided, the external gateway IP address of the network attachment is used. + +If the name of a network attachment definition is not provided, the external gateway IP address for the pod itself is used. However, this approach works only if the pod is configured with `hostNetwork` set to `true`. +==== diff --git a/modules/nw-secondary-ext-gw-object.adoc b/modules/nw-secondary-ext-gw-object.adoc index bcd37d65b0e3..1632434b2483 100644 --- a/modules/nw-secondary-ext-gw-object.adoc +++ b/modules/nw-secondary-ext-gw-object.adoc @@ -2,11 +2,14 @@ // // * networking/ovn_kubernetes_network_provider/configuring-secondary-external-gateway.adoc -:_mod-docs-content-type: CONCEPT +:_mod-docs-content-type: REFERENCE [id="nw-secondary-ext-gw-object_{context}"] = AdminPolicyBasedExternalRoute object configuration -You can define an `AdminPolicyBasedExternalRoute` object, which is cluster scoped, with the following properties. A namespace can be selected by only one `AdminPolicyBasedExternalRoute` CR at a time. +[role="_abstract"] +You can define an `AdminPolicyBasedExternalRoute` object, which is cluster scoped, with certain properties. A namespace can be selected by only one `AdminPolicyBasedExternalRoute` CR at a time. + +These supported properties for an `AdminPolicyBasedExternalRoute` object are listed as follows: .`AdminPolicyBasedExternalRoute` object [cols=".^3,.^2,.^5a",options="header"] @@ -81,13 +84,12 @@ Specifies the destinations where the packets are forwarded to. Must be either or |`podSelector` |`string` | -Specifies a [set-based](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#set-based-requirement) label selector to filter the pods in the namespace that match this network configuration. +Specifies a set-based label selector to filter the pods in the namespace that match this network configuration. For more information, see "Set-based requirement" in the _Additional resources_ section. |`namespaceSelector` |`string` | Specifies a `set-based` selector to filter the namespaces that the `podSelector` applies to. You must specify a value for this field. - |`bfdEnabled` |`boolean` |Optional: Specifies whether Bi-Directional Forwarding Detection (BFD) is supported by the network. The default value is `false`. @@ -95,86 +97,6 @@ Specifies a [set-based](https://kubernetes.io/docs/concepts/overview/working-wit |`networkAttachmentName` |`string` | -Optional: Specifies the name of a network attachment definition. The name must match the list of logical networks associated with the pod. If this field is not specified, the host network of the pod is used. However, the pod must be configure as a host network pod to use the host network. +Optional: Specifies the name of a network attachment definition. The name must match the list of logical networks associated with the pod. If this field is not specified, the host network of the pod is used. However, the pod must be configured as a host network pod to use the host network. |==== - -[id="example-secondary-external-gateway-configurations_{context}"] -== Example secondary external gateway configurations - -In the following example, the `AdminPolicyBasedExternalRoute` object configures two static IP addresses as external gateways for pods in namespaces with the `kubernetes.io/metadata.name: novxlan-externalgw-ecmp-4059` label. - -[source,yaml] ----- -apiVersion: k8s.ovn.org/v1 -kind: AdminPolicyBasedExternalRoute -metadata: - name: default-route-policy -spec: - from: - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: novxlan-externalgw-ecmp-4059 - nextHops: - static: - - ip: "172.18.0.8" - - ip: "172.18.0.9" ----- - -In the following example, the `AdminPolicyBasedExternalRoute` object configures a dynamic external gateway. The IP addresses used for the external gateway are derived from the additional network attachments associated with each of the selected pods. - -[source,yaml] ----- -apiVersion: k8s.ovn.org/v1 -kind: AdminPolicyBasedExternalRoute -metadata: - name: shadow-traffic-policy -spec: - from: - namespaceSelector: - matchLabels: - externalTraffic: "" - nextHops: - dynamic: - - podSelector: - matchLabels: - gatewayPod: "" - namespaceSelector: - matchLabels: - shadowTraffic: "" - networkAttachmentName: shadow-gateway - - podSelector: - matchLabels: - gigabyteGW: "" - namespaceSelector: - matchLabels: - gatewayNamespace: "" - networkAttachmentName: gateway ----- - -In the following example, the `AdminPolicyBasedExternalRoute` object configures both static and dynamic external gateways. - -[source,yaml] ----- -apiVersion: k8s.ovn.org/v1 -kind: AdminPolicyBasedExternalRoute -metadata: - name: multi-hop-policy -spec: - from: - namespaceSelector: - matchLabels: - trafficType: "egress" - nextHops: - static: - - ip: "172.18.0.8" - - ip: "172.18.0.9" - dynamic: - - podSelector: - matchLabels: - gatewayPod: "" - namespaceSelector: - matchLabels: - egressTraffic: "" - networkAttachmentName: gigabyte ----- diff --git a/networking/ovn_kubernetes_network_provider/configuring-secondary-external-gateway.adoc b/networking/ovn_kubernetes_network_provider/configuring-secondary-external-gateway.adoc index 926d4fd72ee0..bba927eef722 100644 --- a/networking/ovn_kubernetes_network_provider/configuring-secondary-external-gateway.adoc +++ b/networking/ovn_kubernetes_network_provider/configuring-secondary-external-gateway.adoc @@ -6,9 +6,10 @@ include::_attributes/common-attributes.adoc[] toc::[] +[role="_abstract"] As a cluster administrator, you can configure an external gateway on the default network. -This feature offers the following benefits: +The external gateway feature offers the following benefits: - Granular control over egress traffic on a per-namespace basis - Flexible configuration of static and dynamic external gateway IP addresses @@ -24,11 +25,19 @@ include::modules/nw-secondary-ext-gw-about.adoc[leveloffset=+1] include::modules/nw-secondary-ext-gw-object.adoc[leveloffset=+1] +[role="_additional-resources"] +[id="additional-resources_{context}"] +== Additional resources + +* link:https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#set-based-requirement[Set-based requirement (Kubernetes documentation)] + +include::/modules/example-secondary-external-gateway-configurations.adoc[leveloffset=+1] + include::modules/nw-secondary-ext-gw-configure.adoc[leveloffset=+1] // TODO - Resolve this after OCP 4.14 is released //include::modules/nw-secondary-ext-gw-status.adoc[leveloffset=+1] -[id="{context}_additional-resources"] +[role="_additional-resources"] == Additional resources * xref:../../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[Understanding multiple networks]