openshift on openstack with kuryr
TRANSCRIPT
OpenShift/KuryrBridging the infrastructure gap
Vikas ChoudharyAntoni Segura PuimedonLuis Tomás Bolívar
Hybrid workloadsOne infrastructure
Already demoed
❏ Connectivity❏ Pod <-> Pod❏ Pod <-> VM
❏ Neutron ovs hybrid mode❏ ManageIQ integration
❏ Pod networking shows up under Networks -> Network Port
Enter OpenShift
● Open Source PaaS rebuilt around Container Standards
● Leverages Kubernetes● Brings SELinux isolation to
container environments● Uses flannel when deployed on
OpenStack● Native master HA with haproxy
in front of the masters
OpenShift on OpenStack
Getting it all together
● Replaces kube-proxy and flannel
● Gets networking from the underlying Keystone + Neutron deployment
● Pods get security groups applied
● Can expose services with FIPs and the OpenShift router
● Kuryr Controller HA**● OpenShift services get
translated to LBaaSv2 entities that vendors can implement
OpenShift/Kuryr on OpenStack
Openshift integration
● Leverages the Kubernetes integration
● Giving back Kuryr upstream:○ HTTPS client support○ Pod-in-VM via trunk
Neutron ports○ Resource Management
● Neutron plugins:○ ovs hybrid (tested)○ ovs native (tested)○ Dragonflow
Trunk ports
● Segments VM tap device with containers
● Up to 4094 containers per VM● Communication between
containers goes to the host ovs where it gets SG
● Other segmentation types possible
● Handled by Kuryr CNI in the VM side and ovs-agent on the Host side
Controller - CNI pod creation interaction
Services
OpenShift services
● Mapped to an OpenStack Neutron Lbaas v2 loadbalancer with a listener per exposed port
● Applied to both infra services and App services
● Supports ClusterIP and Loadbalancer* type
● By default uses Round Robin policy for giving access to the service pods
● Reachable by the Nova instances of the cluster
OpenShift router
● Runs as a service with one or more pods on the Host networking
● Runs haproxy to direct traffic to the exposed service endpoints
● Allows mapping arbitrary hostnames to services
● HTTP and HTTPS support● Gets networked by Kuryr by a
load balancer, two listeners and a FIP
● Needs a DNS server to have a wildcard entry pointing to the FIP
# OpenShift routerlocal-zone: "demo.kuryr.org" redirectlocal-data: "demo.kuryr.org. IN A 10.12.21.70"
Controller - OpenStack ClusterIP service interaction
Demo
Kuryr Kubernetes demo
Demo functionality
❏ Connectivity❏ Pod-in-VM <-> Pod-in-VM❏ Pod-in-VM -> ClusterIP service❏ VM <-> Pod-in-another-VM
❏ Services❏ ClusterIP type❏ Replica resizing
❏ Neutron ovs native mode
Stay tuned
❏ Connectivity❏ Pod <-> Pod❏ Pod <-> VM❏ Pod-in-VM (vlan trunk mode)❏ Neutron native ovs firewall driver
❏ Services❏ LBaaSv2 based service implementation*❏ Replica scaling*❏ OpenShift router support**❏ Loadbalancer type
❏ Resource Management❏ Pod resource reusal
Stay tuned (2/2)
❏ HA❏ Active - Passive Controller
❏ Multi homed❏ Pods with multiple Neutron networks❏ Pods with dpdk
❏ Ironic integration
Q&A