Provider networks map directly to an existing physical network in a data center. Example of network types include flat (untagged), VLAN (802.1Q tagged) and VXLAN. OpenShift clusters that are installed on provider networks do not require tenant networks or floating IP addresses (FIPs). Therefore, the OpenShift installer does not create these resources during installation. More information can be found about provider networks terminology here.
Here is a basic architecture of one OCP cluster running on a provider network and another one on a tenant network:
- The Neutron service is enabled and accessible through the OpenStack Networking API.
- The Neutron service is configured with the port-security and allowed-address-pairs extensions so the installer can
add the
allowed_address_pairsattribute to ports.
-
The provider network has to be shared with other tenants, otherwise Nova won't be able to request ports on that external network. For more details, see BZ#1933047.
openstack network create --share (...)To secure that network, it is advised to create RBAC rules so the network can be only usable by a specific project.
-
The project that you use to install OpenShift must own the provider network.
The provider network and the subnet must be owned by the project that is used to install OpenShift instead of
admin. If they are not, you will have to run the installer from the admin user to create ports on the network.It is important that the provider network and the subnet are owned by the same project that will be used to install OpenShift (from the clouds.yaml) and we don't want them to be owned by
adminotherwise it'll cause Terraform to fail creating the ports.Example commands to create a network and subnet for a project that is named
openshift:openstack network create --project openshift (...) openstack subnet create --project openshift (...)More information can be found about how to create provider networks here.
-
You'll have to make sure that the provider network can reach the Metadata IP (169.254.169.254) which, depending on the OpenStack SDN and how Neutron is configured (e.g. DHCP servers provide metadata network routes) might involve to provide the route when creating the subnet:
openstack subnet create --dhcp --host-route destination=169.254.169.254/32,gateway=$ROUTER_IP" (...)
Note: We're working on removing the nova-metadata requirement but for now it is strongly required to be enabled in the cloud and reachable from the provider network.
-
Considerations: make sure all prerequisites documented previously have been met.
-
Create install-config.yaml:
- Set
platform.openstack.apiVIPto the IP address for the API VIP. - Set
platform.openstack.ingressVIPto the IP address for the Ingress VIP. - Set
platform.openstack.machinesSubnetto the subnet ID of the provider network subnet. - Set
networking.machineNetwork.cidrto the CIDR of the provider network subnet.
- Set
Note:
platform.openstack.apiVIP and platform.openstack.ingressVIP both need to be an unassigned IP
address on the networking.machineNetwork.cidr.
Example:
(...)
platform:
openstack:
apiVIP: <IP address in the provider network reserved for the API VIP>
ingressVIP: <IP address in the provider network reserved for the Ingress VIP>
machinesSubnet: <provider network subnet ID>
(...)
networking:
machineNetwork:
- cidr: <provider network subnet CIDR>
-
Run the OpenShift installer:
./openshift-install create cluster --log-level debug -
Wait for the installer to complete.