Spread the loveToday, we will talk about Networking part of openshift, that means how the projects behave with each other
Today, we will talk about Networking part of openshift, that means how the projects behave with each other and how they bound with the networking part of it.
Whenever we install openshift version 3.5 and above, we will get flexibility to choose the network policy plugin options, by default openshift has 3 network plugins comes bundled with the product we can only use any one at a time to configure as cluster network.
OVS-SUBNET : This is the default network policy plug-in which will be deployed/configured under your cluster at the time of your cluster installation if you don’t choose any other available options. In this option a flat network has been configured where all pods and services has open access to each other, that means a pod can talk to the other pod which belongs to different application and sitting under the different project.
OVS-MULTITENENT : This option will be the second most popular and recommended in the enterprise level cluster where you are running the production workload, because it enforces the extended level of security in your cluster which is hosting critical applications/pods from different -different customers, like share hosting or using the shared openshift cluster to host your application, where you want that nobody will be able to talk to your application pods from outside of your project.
So how this is happening, in this approach a project level segregation has been enforced. That means each project has a VNID a unique id dedicated to a project and other projects which is running with different VNID will not be able to talk to these pods.
Wait, if nobody will be able to communicate outside their own project then how the projects will get their images from registry which is running under default project or how the routers which is running under default project will be able to talk to other pods to serve the application request ?
Yes, you guessed it right. Openshift gives default project an exception so that they will be able to communicate across the cluster to provide basic functionalities to the cluster, Hence default project got the special VNID which is “VNID 0”.
OVS-NETWORK-POLICY : This option will provide little flexibility to users to configure their own isolation policies between the projects, like if you want pod A sitting under Project A will only be exposed to pod B running on project B.
External SDN : Nowadays, we have many third party SDN available for openshift which will be supported in openshift cluster with their own set of benefits and flexibilities, for example : Flannel, Contive, Nuage & Kuryr.
At last, Please don’t forget to subscribe for the upcoming informative posts, do post your questions and feedback by comments on this post. Cheers !