Integrating OpenShift with Neutron networking when running inside of OpenStack Nova instances. demo recording: https://youtu.be/UKZryuTH4B0

1. OpenShift/Kuryr
Bridging the infrastructure gap
Vikas Choudhary
Antoni Segura Puimedon
Luis Tomás Bolívar

2. Hybrid workloads
One infrastructure

3. Already demoed
❏ Connectivity
❏ Pod <-> Pod
❏ Pod <-> VM
❏ Neutron ovs hybrid mode
❏ ManageIQ integration
❏ Pod networking shows up under Networks -> Network Port

4. Enter OpenShift

5. ● Open Source PaaS rebuilt
around Container Standards
● Leverages Kubernetes
● Brings SELinux isolation to
container environments
● Uses flannel when deployed on
OpenStack
● Native master HA with haproxy
in front of the masters
OpenShift on
OpenStack

6. Getting it all together

7. ● Replaces kube-proxy and
flannel
● Gets networking from the
underlying Keystone + Neutron
deployment
● Pods get security groups
applied
● Can expose services with FIPs
and the OpenShift router
● Kuryr Controller HA**
● OpenShift services get
translated to LBaaSv2 entities
that vendors can implement
OpenShift/Kuryr on
OpenStack

8. Openshift
integration
● Leverages the Kubernetes
integration
● Giving back Kuryr upstream:
○ HTTPS client support
○ Pod-in-VM via trunk
Neutron ports
○ Resource Management
● Neutron plugins:
○ ovs hybrid (tested)
○ ovs native (tested)
○ Dragonflow

9. Trunk ports
● Segments VM tap device with
containers
● Up to 4094 containers per VM
● Communication between
containers goes to the host ovs
where it gets SG
● Other segmentation types
possible
● Handled by Kuryr CNI in the VM
side and ovs-agent on the Host
side

10. Controller - CNI pod creation interaction

11. Services

12. OpenShift services
● Mapped to an OpenStack
Neutron Lbaas v2 loadbalancer
with a listener per exposed port
● Applied to both infra services
and App services
● Supports ClusterIP and
Loadbalancer* type
● By default uses Round Robin
policy for giving access to the
service pods
● Reachable by the Nova
instances of the cluster

13. OpenShift router
● Runs as a service with one or
more pods on the Host
networking
● Runs haproxy to direct traffic to
the exposed service endpoints
● Allows mapping arbitrary
hostnames to services
● HTTP and HTTPS support
● Gets networked by Kuryr by a
load balancer, two listeners and
a FIP
● Needs a DNS server to have a
wildcard entry pointing to the
FIP
# OpenShift router
local-zone: "demo.kuryr.org" redirect
local-data: "demo.kuryr.org. IN A 10.12.21.70"

14. Controller - OpenStack ClusterIP service interaction

15. Demo

16. Kuryr Kubernetes demo

17. Demo functionality
❏ Connectivity
❏ Pod-in-VM <-> Pod-in-VM
❏ Pod-in-VM -> ClusterIP service
❏ VM <-> Pod-in-another-VM
❏ Services
❏ ClusterIP type
❏ Replica resizing
❏ Neutron ovs native mode

18. Stay tuned
❏ Connectivity
❏ Pod <-> Pod
❏ Pod <-> VM
❏ Pod-in-VM (vlan trunk mode)
❏ Neutron native ovs firewall driver
❏ Services
❏ LBaaSv2 based service implementation*
❏ Replica scaling*
❏ OpenShift router support**
❏ Loadbalancer type
❏ Resource Management
❏ Pod resource reusal

19. Stay tuned (2/2)
❏ HA
❏ Active - Passive Controller
❏ Multi homed
❏ Pods with multiple Neutron networks
❏ Pods with dpdk
❏ Ironic integration

20. Q&A