github.com/openshift/installer@v1.4.17/docs/user/openstack/provider_networks.md (about) 1 # Provider Networks 2 3 4 ## Table of Contents 5 - [Provider Networks](#provider-networks) 6 - [Table of Contents](#table-of-contents) 7 - [Introduction](#introduction) 8 - [Common prerequisites](#common-prerequisites) 9 - [Considerations when creating provider networks](#considerations-when-creating-provider-networks) 10 - [Deploying cluster with primary interface on a provider network with IPI](#deploying-cluster-with-primary-interface-on-a-provider-network-with-ipi) 11 - [Known issues](#known-issues) 12 13 14 ## Introduction 15 16 Provider networks map directly to an existing physical network in a data center. 17 Example of network types include flat (untagged), VLAN (802.1Q tagged) and VXLAN. 18 OpenShift clusters that are installed on provider networks do not require tenant networks or floating IP addresses (FIPs). 19 Therefore, the OpenShift installer does not create these resources during installation. 20 More information can be found about provider networks terminology [here][1]. 21 22 Here is a basic architecture of one OCP cluster running on a provider network and another one 23 on a tenant network: 24 25  26 27 28 ## Prerequisites 29 30 * The [Neutron service][2] is enabled and accessible through the [OpenStack Networking API][3]. 31 * The Neutron service is configured with the [port-security and allowed-address-pairs][4] extensions so the installer can 32 add the `allowed_address_pairs` attribute to ports. 33 34 35 ## Considerations when creating provider networks 36 37 * The provider network has to be shared with other tenants, otherwise Nova won't be able to request ports on that external 38 network. For more details, see [BZ#1933047][5]. 39 40 openstack network create --share (...) 41 42 To secure that network, it is advised to create [RBAC][6] rules so the network can be only usable by a specific project. 43 44 45 * The project that you use to install OpenShift must own the provider network. 46 47 The provider network and the subnet must be owned by the project that is used to install OpenShift instead of `admin`. 48 If they are not, you will have to run the installer from the admin user to create ports on the network. 49 50 It is important that the provider network and the subnet are owned by the same project that will be used 51 to install OpenShift (from the clouds.yaml) and we don't want them to be owned by `admin` otherwise 52 it'll cause Terraform to fail creating the ports. 53 54 Example commands to create a network and subnet for a project that is named `openshift`: 55 56 openstack network create --project openshift (...) 57 openstack subnet create --project openshift (...) 58 59 More information can be found about how to create provider networks [here][7]. 60 61 * You'll have to make sure that the provider network can reach 62 the Metadata IP (169.254.169.254) which, depending on the OpenStack SDN and how Neutron 63 is configured (e.g. DHCP servers provide metadata network routes) might involve 64 to provide the route when creating the subnet: 65 66 openstack subnet create --dhcp --host-route destination=169.254.169.254/32,gateway=$ROUTER_IP" (...) 67 68 > **Note** 69 > We're working on removing the nova-metadata requirement but for now it is 70 > mandatory and must be reachable from the provider network. 71 72 73 ## Deploying cluster with primary interface on a provider network with IPI 74 75 76 - Considerations: make sure all prerequisites documented previously have been met. 77 78 - Create install-config.yaml: 79 80 - Set `platform.openstack.apiVIP` to the IP address for the API VIP. 81 - Set `platform.openstack.ingressVIP` to the IP address for the Ingress VIP. 82 - Set `platform.openstack.controlPlanePort.fixedIPs.subnet.id` to the subnet ID of the provider network subnet and/or `platform.openstack.controlPlanePort.fixedIPs.subnet.name` to the name of the provider network. 83 - Set `networking.machineNetwork.cidr` to the CIDR of the provider network subnet. 84 85 > **Note** 86 > `platform.openstack.apiVIP` and `platform.openstack.ingressVIP` both need to 87 > be an unassigned IP address on the `networking.machineNetwork.cidr`. 88 89 Example: 90 91 (...) 92 platform: 93 openstack: 94 apiVIP: <IP address in the provider network reserved for the API VIP> 95 ingressVIP: <IP address in the provider network reserved for the Ingress VIP> 96 controlPlanePort: 97 fixedIPs: 98 - subnet: 99 id: <provider network subnet ID> 100 (...) 101 networking: 102 machineNetwork: 103 - cidr: <provider network subnet CIDR> 104 105 - Run the OpenShift installer: 106 107 ./openshift-install create cluster --log-level debug 108 109 - Wait for the installer to complete. 110 111 112 [1]: <https://docs.openstack.org/neutron/latest/admin/archives/adv-features.html#provider-networks> 113 [2]: <https://docs.openstack.org/neutron> 114 [3]: <https://docs.openstack.org/api-ref/network> 115 [4]: <https://docs.openstack.org/api-ref/network/v2/#allowed-address-pairs> 116 [5]: <https://bugzilla.redhat.com/show_bug.cgi?id=1933047> 117 [6]: <https://docs.openstack.org/neutron/latest/admin/config-rbac.html> 118 [7]: <https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/networking_guide/sec-networking-concepts#provider-networks>