OpenShift/Kuryr

Bridging the infrastructure gap

Antoni Segura Puimedon

Luis Tomás Bolívar

Daniel Mellado Area

Hybrid workloads

One infrastructure

Already demoed

• Connectivity
• Pod-in-VM <-> Pod-in-VM
• Pod-in-VM -> ClusterIP service
• VM <-> Pod-in-another-VM
• Neutron modes:
• ovs hybrid mode
• Ovs native mode
• Services
• LBaaSv2 based service implementation
• Replica scaling
• OpenShift router support*

Already demoed

• ManageIQ integration
• Pod networking shows up under Networks -> Network Port

Deployment model

Enter OpenShift-Ansible

OpenShift-Ansible

• Open Source PaaS rebuilt around Container Standards
• Leverages Kubernetes
• Brings SELinux isolation to container environments
• Uses flannel when deployed on OpenStack
• Native master HA with haproxy in front of the masters

Getting it all together

OpenShift/Kuryr on OpenStack

• Replaces kube-proxy and flannel
• Gets networking from the underlying Keystone + Neutron deployment
• Pods get security groups applied
• Can expose services with FIPs and the OpenShift router
• Kuryr Controller HA**
• OpenShift services get translated to LBaaSv2 entities that vendors can implement

Openshift integration

• Leverages the Kubernetes integration
• Giving back Kuryr upstream:
• HTTPS client support
• Pod-in-VM via trunk Neutron ports
• Resource Management
• Neutron plugins:
• ovs hybrid (tested)
• ovs native (tested)
• Dragonflow

Trunk ports

• Segments VM tap device with containers
• Up to 4094 containers per VM
• Communication between containers goes to the host ovs where it gets SG
• Other segmentation types possible
• Handled by Kuryr CNI in the VM side and ovs-agent on the Host side

​

Controller - CNI pod creation interaction

Services

OpenShift services

• Mapped to an OpenStack Neutron Lbaas v2 loadbalancer with a listener per exposed port
• Applied to both infra services and App services
• Supports ClusterIP and Loadbalancer* type
• By default uses Round Robin policy for giving access to the service pods
• Reachable by the Nova instances of the cluster

OpenShift router

• Runs as a service with one or more pods on the Host networking
• Runs haproxy to direct traffic to the exposed service endpoints
• Allows mapping arbitrary hostnames to services
• HTTP and HTTPS support
• Gets networked by Kuryr by a load balancer, two listeners and a FIP
• Needs a DNS server to have a wildcard entry pointing to the FIP

# OpenShift router

local-zone: "demo.kuryr.org" redirect

local-data: "demo.kuryr.org. IN A 10.12.21.70"

Controller - OpenStack ClusterIP service interaction

Demo

Kuryr Kubernetes demo

Demo functionality

• Connectivity
• Pod-in-VM <-> Pod-in-VM
• Pod-in-VM -> ClusterIP service
• VM <-> Pod-in-another-VM
• Services
• ClusterIP type
• Replica resizing
• Neutron ovs native mode

Stay tuned

• Connectivity
• Pod <-> Pod
• Pod <-> VM
• Pod-in-VM (vlan trunk mode)
• Neutron native ovs firewall driver
• Services
• LBaaSv2 based service implementation*
• Replica scaling*
• OpenShift router support**
• Loadbalancer type
• Resource Management
• Pod resource reusal

Stay tuned (2/2)

• HA
• Active - Passive Controller
• Multi homed
• Pods with multiple Neutron networks
• Pods with dpdk
• Ironic integration

Q&A