k8s-best-practices-openshift-operations.adoc

Operations that shall be executed by OpenShift

The application should not require NET_ADMIN capability to perform the following administrative operations:

Setting the MTU

• Configure the MTU for the cluster network, also known as the OVN or Openshift-SDN network, by modifying the manifests generated by openshift-installer before deploying the cluster. See Changing the MTU for the cluster network for more information.

• Configure additional networks managed by the Cluster Network Operator by using NetworkAttachmentDefinition resources generated by the Cluster Network Operator. See Using high performance multicast for more information.

• Configure SR-IOV interfaces by using the SR-IOV Network Operator, see Configuring an SR-IOV network device for more information.

Modifying link state

• All the links should be set up before attaching it to a pod.

Assigning IP/MAC addresses

• For all the networks, the IP/MAC address should be assigned to the interface during pod creation.

• MULTUS also allows users to override the IP/MAC address. Refer to Attaching a pod to an additional network for more information.

Manipulating pod route tables

• By default, the default route of the pod will point to the cluster network, with or without the additional networks. MULTUS also allows users to override the default route of the pod. Refer to Attaching a pod to an additional network for more information.

• Non-default routes can be added to pod routing tables by various IPAM CNI plugins during pod creation.

Setting SR/IOV VFs

The SR-IOV Network Operator also supports configuring the following parameters for SR-IOV VFs. Refer to Configuring an SR-IOV Ethernet network attachment for more information.

• vlan

• linkState

• maxTxRate

• minRxRate

• vlanQoS

• spoofChk

• trust

Configuring multicast

In OpenShift, multicast is supported for both the default interface (OVN or OpenShift-SDN) and the additional interfaces such as macvlan, SR-IOV, etc. Multicast is disabled by default. To enable it, refer to the following procedures:

• Enabling multicast for a project

• Configuring an SR-IOV interface for multicast

• If your application works as a multicast source and you want to utilize the additional interfaces to carry the multicast traffic, then you don’t need the NET_ADMIN capability. Follow the instructions in Using high performance multicast to set the correct multicast route in the pod’s routing table.