Add user document for Antrea native secondary network support #6015
Conversation
jianjuns
added
kind/documentation
jianjuns
force-pushed
the
secnet-doc
branch
4 times, most recently
from
9b4a0e4 to
39cc2ca
Compare
docs/antrea-ipam.md
Outdated
| other CNIs which are managed by Multus. The [Antrea + Multus guide](cookbooks/multus) | ||
| talks about how to use Antrea with Multus, including the option of using Antrea | ||
| IPAM for secondary networks. | ||
| For other network types, the VLAN field will be ignored. |
There was a problem hiding this comment.
| For other network types, the VLAN field will be ignored. | |
| For other network types, the VLAN field in the `IPPool ` will be ignored. |
docs/antrea-ipam.md
Outdated
| other CNIs which are managed by Multus. The [Antrea + Multus guide](cookbooks/multus) | ||
| talks about how to use Antrea with Multus, including the option of using Antrea | ||
| IPAM for secondary networks. | ||
| For other network types, the VLAN field will be ignored. |
There was a problem hiding this comment.
question: I am not sure what happens if the network type is vlan but there is no provided vlan (neither in the IPPool nor in the NetworkAttachmentDefinition), or if there are 2 subnets with different vlans in the IPPool?
There was a problem hiding this comment.
We default to VLAN 0, I explained that when describing NetworkAttachmentDefinition.
Antrea IPAM code returns the first non-zero VLAN in the configured IPPool subnets.
There was a problem hiding this comment.
Antrea IPAM code returns the first non-zero VLAN in the configured IPPool subnets.
But then shouldn't we have IPPool validation to prevent users from using different VLAN values in the same IPPool, or is there a use case for that?
There was a problem hiding this comment.
I meant two IPPools with different VLAN IDs, as you can specify multiple IPPools per Network, e.g. one for IPv4 and one IPv6.
docs/secondary-network.md
Outdated
|
|
||
| Starting with Antrea v1.15, Antrea can also provision secondary network | ||
| interfaces and connect them to VLAN networks. This document describes Antrea's | ||
| native support of VLAN secondary networks. |
docs/secondary-network.md
Outdated
| in the `antrea-agent` configuration. If you need IPAM for the secondary | ||
| interfaces, you should also enable the `AntreaIPAM` feature gate in both | ||
| `antrea-agent` and `antrea-controller` configuration. At the moment, Antrea IPAM | ||
| is only available IPAM option for secondary networks managed by Antrea. The |
There was a problem hiding this comment.
is the only available option
docs/secondary-network.md
Outdated
| network's `config`, `antrea-agent` will configure the VLAN ID to the OVS port, | ||
| so the interface's traffic will be isolated within the VLAN. And before the | ||
| traffic is forwarded out the Node via the secondary bridge's physical interface, | ||
| OVS will insert the VLAN tag to the packets. |
There was a problem hiding this comment.
s/to the packets/in the packets
docs/secondary-network.md
Outdated
| A few extra notes about the NetworkAttachmentDefinition `config` fields: | ||
|
|
||
| * `type` - must be set to `antrea`. | ||
| * `networkType` - the only supported network type is `VLAN` as of now. |
There was a problem hiding this comment.
is it case sensitive? You use vlan in the examples
There was a problem hiding this comment.
vlan makes sense. Changed.
docs/secondary-network.md
Outdated
|
|
||
| * `type` - must be set to `antrea`. | ||
| * `networkType` - the only supported network type is `VLAN` as of now. | ||
| * `mtu` - defaults to 1500 is not set. |
There was a problem hiding this comment.
s/is not set/if not set
docs/secondary-network.md
Outdated
| * `networkType` - the only supported network type is `VLAN` as of now. | ||
| * `mtu` - defaults to 1500 is not set. | ||
| * `vlan` - can be set to 0 or a valid VLAN ID (1 - 4094). Defaults to 0. Also | ||
| note, VLAN can be speficied in the spec of an IPPool in the `ipam` section too; |
There was a problem hiding this comment.
s/speficied/specified
For this sentence, I would just use:
The VLAN ID can also be specified as part of the spec of an IPPool referenced in the
ipamsection
docs/secondary-network.md
Outdated
| `k8s.v1.cni.cncf.io/networks` annotation to the Pod. The following example Pod | ||
| includes two secondary interfaces, one in network `vlan100` which should be | ||
| created in the same Namespace as the Pod, the other in network `vlan200` which | ||
| is created in Namespace `default`. |
There was a problem hiding this comment.
nit: given that the Namespace of the Pod is actually default, I would recommend using a different Namespace (either for the Pod or for the network), to emphasize that cross-Namespace references are possible.
There was a problem hiding this comment.
Changed to networks. Let me know if you have a better Namespace name.
docs/secondary-network.md
Outdated
| labels: | ||
| app: antrea-secondary-network-demo | ||
| annotations: | ||
| k8s.v1.cni.cncf.io/networks: [vlan100, {name: vlan200, namespace: networks, interface: eth200"] |
There was a problem hiding this comment.
the annotation value doesn't look right to me. There is an orphan " at the end, and if the annotation is JSON, then all the strings should be quoted
There was a problem hiding this comment.
You are right. Fixed it and added an example of a Pod with a single secondary interface.
docs/secondary-network.md
Outdated
|
|
||
| At the moment, Antrea supports only a single OVS bridge for secondary networks, | ||
| and supports only a single physical interface on the bridge. The physical | ||
| interface cannot be the Node's management interface, otherwise a Node's |
There was a problem hiding this comment.
you may have missed that
docs/secondary-network.md
Outdated
| secondary OVS bridge on the Node. If a non-zero VLAN is speficied in the | ||
| network's `config`, `antrea-agent` will configure the VLAN ID to the OVS port, | ||
| so the interface's traffic will be isolated within the VLAN. And before the | ||
| traffic is forwarded out the Node via the secondary bridge's physical interface, |
docs/antrea-ipam.md
Outdated
| other CNIs which are managed by Multus. The [Antrea + Multus guide](cookbooks/multus) | ||
| talks about how to use Antrea with Multus, including the option of using Antrea | ||
| IPAM for secondary networks. | ||
| For other network types, the VLAN field will be ignored. |
There was a problem hiding this comment.
Antrea IPAM code returns the first non-zero VLAN in the configured IPPool subnets.
But then shouldn't we have IPPool validation to prevent users from using different VLAN values in the same IPPool, or is there a use case for that?
docs/secondary-network.md
Outdated
| ``` | ||
|
|
||
| If the Pod has only a single secondary network interface, you can also set | ||
| the `k8s.v1.cni.cncf.io/networks` annotatin to `<network-name>`, |
Signed-off-by: Jianjun Shen <[email protected]>
I checked the IPPool validation code. Seems we do not validate VLANs of all IP ranges should be same. In this case, the resulted VLAN will come from the IP range used to allocate the interface IP. In 2.0, with the planned IPPool spec changes, an IPPool will have a single shared VLAN (and subnet and gateway), and this will not be problem any more. |
|
/skip-all |
Issue: #5278