OpenShift/KuryrBridging the infrastructure gap

Vikas ChoudharyAntoni Segura PuimedonLuis Tomás Bolívar

Hybrid workloadsOne infrastructure

Already demoed

❏ Connectivity❏ Pod <-> Pod❏ Pod <-> VM

❏ Neutron ovs hybrid mode❏ ManageIQ integration

❏ Pod networking shows up under Networks -> Network Port

Enter OpenShift

● Open Source PaaS rebuilt around Container Standards

● Leverages Kubernetes● Brings SELinux isolation to

container environments● Uses flannel when deployed on

OpenStack● Native master HA with haproxy

in front of the masters

OpenShift on OpenStack

Getting it all together

● Replaces kube-proxy and flannel

● Gets networking from the underlying Keystone + Neutron deployment

● Pods get security groups applied

● Can expose services with FIPs and the OpenShift router

● Kuryr Controller HA**● OpenShift services get

translated to LBaaSv2 entities that vendors can implement

OpenShift/Kuryr on OpenStack

Openshift integration

● Leverages the Kubernetes integration

● Giving back Kuryr upstream:○ HTTPS client support○ Pod-in-VM via trunk

Neutron ports○ Resource Management

● Neutron plugins:○ ovs hybrid (tested)○ ovs native (tested)○ Dragonflow

Trunk ports

● Segments VM tap device with containers

● Up to 4094 containers per VM● Communication between

containers goes to the host ovs where it gets SG

● Other segmentation types possible

● Handled by Kuryr CNI in the VM side and ovs-agent on the Host side

Controller - CNI pod creation interaction

Services

OpenShift services

● Mapped to an OpenStack Neutron Lbaas v2 loadbalancer with a listener per exposed port

● Applied to both infra services and App services

● Supports ClusterIP and Loadbalancer* type

● By default uses Round Robin policy for giving access to the service pods

● Reachable by the Nova instances of the cluster

OpenShift router

● Runs as a service with one or more pods on the Host networking

● Runs haproxy to direct traffic to the exposed service endpoints

● Allows mapping arbitrary hostnames to services

● HTTP and HTTPS support● Gets networked by Kuryr by a

load balancer, two listeners and a FIP

● Needs a DNS server to have a wildcard entry pointing to the FIP

# OpenShift routerlocal-zone: "demo.kuryr.org" redirectlocal-data: "demo.kuryr.org. IN A 10.12.21.70"

Controller - OpenStack ClusterIP service interaction

Demo

Kuryr Kubernetes demo

Demo functionality

❏ Connectivity❏ Pod-in-VM <-> Pod-in-VM❏ Pod-in-VM -> ClusterIP service❏ VM <-> Pod-in-another-VM

❏ Services❏ ClusterIP type❏ Replica resizing

❏ Neutron ovs native mode

Stay tuned

❏ Connectivity❏ Pod <-> Pod❏ Pod <-> VM❏ Pod-in-VM (vlan trunk mode)❏ Neutron native ovs firewall driver

❏ Services❏ LBaaSv2 based service implementation*❏ Replica scaling*❏ OpenShift router support**❏ Loadbalancer type

❏ Resource Management❏ Pod resource reusal

Stay tuned (2/2)

❏ HA❏ Active - Passive Controller

❏ Multi homed❏ Pods with multiple Neutron networks❏ Pods with dpdk

❏ Ironic integration

Q&A