github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.1-0.20240408194816-2d2e5a45d453/doc/quickstart.md (about) 1 # Quickstart Guide 2 3 ## Prerequisites 4 5 1. A supported SRIOV hardware on the cluster nodes. Supported models can be found [here](https://github.com/k8snetworkplumbingwg/sriov-network-operator/blob/master/doc/supported-hardware.md). 6 2. Kubernetes or Openshift cluster running on bare metal nodes. 7 3. Multus-cni is deployed as default CNI plugin, and there is a default CNI plugin (flannel, openshift-sdn etc.) available for Multus-cni. 8 9 ## Installation 10 11 Make sure to have installed the Operator-SDK, as shown in its [install documentation](https://sdk.operatorframework.io/docs/installation/), and that the binaries are available in your \$PATH. 12 13 Clone this GitHub repository. 14 15 ```bash 16 go get github.com/k8snetworkplumbingwg/sriov-network-operator 17 ``` 18 19 Deploy the operator. 20 21 If you are running an Openshift cluster: 22 23 ```bash 24 make deploy-setup 25 ``` 26 27 If you are running a Kubernetes cluster: 28 ```bash 29 make deploy-setup-k8s 30 ``` 31 32 Webhooks are disabled when deploying on a Kubernetes cluster as per the instructions above. To enable webhooks on Kubernetes cluster, there are two options: 33 34 1. Create certificates for each of the two webhooks using a single CA whose cert you provide through an environment variable. 35 36 For example, given `cacert.pem`, `key.pem` and `cert.pem`: 37 ```bash 38 kubectl create ns sriov-network-operator 39 kubectl -n sriov-network-operator create secret tls operator-webhook-cert --cert=cert.pem --key=key.pem 40 kubectl -n sriov-network-operator create secret tls network-resources-injector-cert --cert=cert.pem --key=key.pem 41 export ADMISSION_CONTROLLERS_ENABLED=true 42 export ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT=$(base64 -w 0 < cacert.pem) 43 export ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT=$(base64 -w 0 < cacert.pem) 44 make deploy-setup-k8s 45 ``` 46 47 2. Using https://cert-manager.io/, deploy it as: 48 ```bash 49 kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml 50 ``` 51 52 Define the appropriate Issuer and Certificates, as an example: 53 ```bash 54 kubectl create ns sriov-network-operator 55 cat <<EOF | kubectl apply -f - 56 apiVersion: cert-manager.io/v1 57 kind: Issuer 58 metadata: 59 name: sriov-network-operator-selfsigned-issuer 60 namespace: sriov-network-operator 61 spec: 62 selfSigned: {} 63 --- 64 apiVersion: cert-manager.io/v1 65 kind: Certificate 66 metadata: 67 name: operator-webhook-cert 68 namespace: sriov-network-operator 69 spec: 70 secretName: operator-webhook-cert 71 dnsNames: 72 - operator-webhook-service.sriov-network-operator.svc 73 issuerRef: 74 name: sriov-network-operator-selfsigned-issuer 75 --- 76 apiVersion: cert-manager.io/v1 77 kind: Certificate 78 metadata: 79 name: network-resources-injector-cert 80 namespace: sriov-network-operator 81 spec: 82 secretName: network-resources-injector-cert 83 dnsNames: 84 - network-resources-injector-service.sriov-network-operator.svc 85 issuerRef: 86 name: sriov-network-operator-selfsigned-issuer 87 EOF 88 ``` 89 90 And then deploy the operator: 91 ```bash 92 export ADMISSION_CONTROLLERS_ENABLED=true 93 export ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED=true 94 make deploy-setup-k8s 95 ``` 96 97 By default, the operator will be deployed in namespace 'sriov-network-operator' for Kubernetes cluster, you can check if the deployment is finished successfully. 98 99 ```bash 100 $ kubectl get -n sriov-network-operator all 101 NAME READY STATUS RESTARTS AGE 102 pod/sriov-network-config-daemon-bf9nt 1/1 Running 0 8s 103 pod/sriov-network-operator-54d7545f65-296gb 1/1 Running 0 10s 104 105 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 106 service/sriov-network-operator ClusterIP 10.102.53.223 <none> 8383/TCP 9s 107 108 NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE 109 daemonset.apps/sriov-network-config-daemon 1 1 1 1 1 kubernetes.io/os=linux,node-role.kubernetes.io/worker= 8s 110 111 NAME READY UP-TO-DATE AVAILABLE AGE 112 deployment.apps/sriov-network-operator 1/1 1 1 10s 113 114 NAME DESIRED CURRENT READY AGE 115 replicaset.apps/sriov-network-operator-54d7545f65 1 1 1 10s 116 ``` 117 118 You may need to label SR-IOV worker nodes using `node-role.kubernetes.io/worker` label, if not already. 119 120 **Note:** By default, SR-IOV Operator will be deployed in namespace 'openshift-sriov-network-operator' for OpenShift cluster. 121 122 ## Configuration 123 124 After the operator gets installed, you can configure it with creating the custom resource of SriovNetwork and SriovNetworkNodePolicy. But before that, you may want to check the status of SriovNetworkNodeState CRs to find out all the SRIOV capable devices in you cluster. 125 126 Here comes an example. As you can see, there are 2 SR-IOV NICs from Intel. 127 128 ```bash 129 $ kubectl get sriovnetworknodestates.sriovnetwork.openshift.io -n sriov-network-operator node-1 -o yaml 130 131 apiVersion: sriovnetwork.openshift.io/v1 132 kind: SriovNetworkNodeState 133 spec: ... 134 status: 135 interfaces: 136 - deviceID: "1572" 137 driver: i40e 138 mtu: 1500 139 pciAddress: "0000:18:00.0" 140 totalvfs: 64 141 vendor: "8086" 142 - deviceID: "1572" 143 driver: i40e 144 mtu: 1500 145 pciAddress: "0000:18:00.1" 146 totalvfs: 64 147 vendor: "8086" 148 ``` 149 150 You can choose the NIC you want when creating SriovNetworkNodePolicy CR, by specifying the 'nicSelector'. 151 152 ```yaml 153 apiVersion: sriovnetwork.openshift.io/v1 154 kind: SriovNetworkNodePolicy 155 metadata: 156 name: policy-1 157 namespace: sriov-network-operator 158 spec: 159 nodeSelector: 160 feature.node.kubernetes.io/network-sriov.capable: "true" 161 resourceName: intelnics 162 priority: 99 163 mtu: 9000 164 numVfs: 2 165 nicSelector: 166 deviceID: "1572" 167 rootDevices: 168 - 0000:18:00.1 169 vendor: "8086" 170 deviceType: netdevice 171 ``` 172 173 After applying your SriovNetworkNodePolicy CR, check the status of SriovNetworkNodeState again, you should be able to see the NIC has been configured as instructed. 174 175 ```bash 176 $ kubectl get sriovnetworknodestates.sriovnetwork.openshift.io -n sriov-network-operator node-1 -o yaml 177 178 ... 179 - Vfs: 180 - deviceID: 1572 181 driver: iavf 182 pciAddress: 0000:18:02.0 183 vendor: "8086" 184 - deviceID: 1572 185 driver: iavf 186 pciAddress: 0000:18:02.1 187 vendor: "8086" 188 - deviceID: 1572 189 driver: iavf 190 pciAddress: 0000:18:02.2 191 vendor: "8086" 192 deviceID: "1583" 193 driver: i40e 194 mtu: 1500 195 numVfs: 3 196 pciAddress: 0000:18:00.0 197 totalvfs: 64 198 vendor: "8086" 199 ... 200 ``` 201 202 At the same time, the SRIOV device plugin and CNI plugin has been provisioned to the worker node. You may check if resource name 'intel-nics' is reported by device plugin correctly. 203 204 ```bash 205 $ kubectl get no -o json | jq -r '[.items[] | {name:.metadata.name, allocable:.status.allocatable}]' 206 [ 207 { 208 "name": "minikube", 209 "allocable": { 210 "cpu": "72", 211 "ephemeral-storage": "965895780801", 212 "hugepages-1Gi": "0", 213 "hugepages-2Mi": "0", 214 "intel.com/intel-nics": "3", 215 "memory": "196706684Ki", 216 "openshift.io/sriov": "0", 217 "pods": "110" 218 } 219 } 220 ] 221 ``` 222 223 Now you can create a SriovNetwork CR which refer to the 'resourceName' defined in SriovNetworkNodePolicy. Then a NetworkAttachmentDefinition CR will be generated by operator with the same name and namespace. 224 225 Here is an example: 226 227 ```yaml 228 apiVersion: sriovnetwork.openshift.io/v1 229 kind: SriovNetwork 230 metadata: 231 name: example-sriovnetwork 232 namespace: sriov-network-operator 233 spec: 234 ipam: | 235 { 236 "type": "host-local", 237 "subnet": "10.56.217.0/24", 238 "rangeStart": "10.56.217.171", 239 "rangeEnd": "10.56.217.181", 240 "routes": [{ 241 "dst": "0.0.0.0/0" 242 }], 243 "gateway": "10.56.217.1" 244 } 245 vlan: 0 246 resourceName: intelnics 247 ``` 248 249 To remove the operator related resources. 250 251 If you are running an Openshift cluster: 252 253 ```bash 254 make undeploy 255 ``` 256 257 If you are running a Kubernetes cluster: 258 259 ```bash 260 make undeploy-k8s 261 ```