5 Network Overlay for Kubernetes

5.1 Overview

This chapter covers how Kubernetes integrates with OVN to use the same GENEVE overlay network as OpenStack, preventing double encapsulation and providing unified networking for both VMs and containers.

Note: For definitions of terms used in this chapter, see the Glossary.

5.2 OVN-Kubernetes CNI

OVN-Kubernetes is a CNI (Container Network Interface) plugin that integrates Kubernetes with OVN’s control plane and data plane. It allows Kubernetes pods to use the same GENEVE overlay network as OpenStack VMs.

5.2.1 Key Benefits

Single Overlay Network: Both OpenStack VMs and Kubernetes pods use the same GENEVE overlay
No Double Encapsulation: Pods and VMs share the same network infrastructure
Unified Control Plane: OVN manages networking for both platforms
Consistent Policies: OVN security groups apply to both pods and VMs
Simplified Operations: One network stack to manage

5.3 Architecture

5.3.1 How It Works

┌─────────────────────────────────────────────────────────┐
│              Unified GENEVE Overlay                     │
│                                                         │
│  ┌──────────────┐         ┌──────────────┐              │
│  │ OpenStack VM │         │ K8s Pod      │              │
│  │ (via OVN)    │◄───────►│ (via OVN-K8s)│              │
│  └──────────────┘         └──────────────┘              │
│         │                        │                      │
│         └──────────┬─────────────┘                      │
│                    │                                    │
│              GENEVE Encapsulation                       │
│              (Same TEP, Same Overlay)                   │
└─────────────────────────────────────────────────────────┘
                    │
                    │ IP packets
                    │
┌─────────────────────────────────────────────────────────┐
│              Pure L3 BGP/ECMP Underlay                  │
└─────────────────────────────────────────────────────────┘

5.3.2 Components

OVN-Kubernetes CNI Plugin
- Runs on each Kubernetes node
- Integrates with OVN control plane
- Configures pod networking using OVN logical switches
OVN Control Plane
- Same OVN Northbound/Southbound databases used by OpenStack
- Manages logical networks for both VMs and pods
- Provides unified network policies
OVS Data Plane
- Same OVS instances handle both VM and pod traffic
- GENEVE encapsulation/decapsulation for both
- Uses same TEP (host loopback IP)

5.4 Configuration

5.4.1 Prerequisites

OVN already deployed for OpenStack
OVN Northbound and Southbound databases accessible
Kubernetes cluster deployed on same hosts (or separate)

5.4.2 OVN-Kubernetes Setup

# Install OVN-Kubernetes CNI
# (Specific steps depend on Kubernetes distribution)

# Configure OVN-Kubernetes to use existing OVN databases
# Point to same OVN Northbound/Southbound databases as OpenStack

5.4.3 Network Policies

OVN security groups and ACLs apply to both: - OpenStack VMs (via Neutron) - Kubernetes pods (via OVN-Kubernetes)

This provides consistent security policies across both platforms.

5.5 Benefits for OpenStack DC Network

5.5.1 Unified Networking

Single TEP per host: Both VMs and pods use the same loopback IP as TEP
Same GENEVE overlay: No separate overlay networks needed
Shared infrastructure: Same physical network, same switches, same routing

5.5.2 Operational Simplicity

One control plane: OVN manages everything
One data plane: OVS handles all traffic
Consistent troubleshooting: Same tools and techniques

5.5.3 Performance

No double encapsulation: Pods don’t need separate overlay
Efficient routing: Direct pod-to-VM communication via GENEVE
Optimal bandwidth: Shared infrastructure utilization

5.6 References

--- title: "Network Overlay for Kubernetes" --- ## Overview This chapter covers how **Kubernetes integrates with OVN** to use the same GENEVE overlay network as OpenStack, preventing double encapsulation and providing unified networking for both VMs and containers. > **Note**: For definitions of terms used in this chapter, see the [Glossary](./glossary.qmd). ## OVN-Kubernetes CNI **OVN-Kubernetes** is a CNI (Container Network Interface) plugin that integrates Kubernetes with OVN's control plane and data plane. It allows Kubernetes pods to use the same GENEVE overlay network as OpenStack VMs. ### Key Benefits 1. **Single Overlay Network**: Both OpenStack VMs and Kubernetes pods use the same GENEVE overlay 2. **No Double Encapsulation**: Pods and VMs share the same network infrastructure 3. **Unified Control Plane**: OVN manages networking for both platforms 4. **Consistent Policies**: OVN security groups apply to both pods and VMs 5. **Simplified Operations**: One network stack to manage ## Architecture ### How It Works ``` ┌─────────────────────────────────────────────────────────┐ │ Unified GENEVE Overlay │ │ │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ OpenStack VM │ │ K8s Pod │ │ │ │ (via OVN) │◄───────►│ (via OVN-K8s)│ │ │ └──────────────┘ └──────────────┘ │ │ │ │ │ │ └──────────┬─────────────┘ │ │ │ │ │ GENEVE Encapsulation │ │ (Same TEP, Same Overlay) │ └─────────────────────────────────────────────────────────┘ │ │ IP packets │ ┌─────────────────────────────────────────────────────────┐ │ Pure L3 BGP/ECMP Underlay │ └─────────────────────────────────────────────────────────┘ ``` ### Components 1. **OVN-Kubernetes CNI Plugin** - Runs on each Kubernetes node - Integrates with OVN control plane - Configures pod networking using OVN logical switches 2. **OVN Control Plane** - Same OVN Northbound/Southbound databases used by OpenStack - Manages logical networks for both VMs and pods - Provides unified network policies 3. **OVS Data Plane** - Same OVS instances handle both VM and pod traffic - GENEVE encapsulation/decapsulation for both - Uses same TEP (host loopback IP) ## Configuration ### Prerequisites - OVN already deployed for OpenStack - OVN Northbound and Southbound databases accessible - Kubernetes cluster deployed on same hosts (or separate) ### OVN-Kubernetes Setup ```bash # Install OVN-Kubernetes CNI # (Specific steps depend on Kubernetes distribution) # Configure OVN-Kubernetes to use existing OVN databases # Point to same OVN Northbound/Southbound databases as OpenStack ``` ### Network Policies OVN security groups and ACLs apply to both: - OpenStack VMs (via Neutron) - Kubernetes pods (via OVN-Kubernetes) This provides consistent security policies across both platforms. ## Benefits for OpenStack DC Network ### Unified Networking - **Single TEP per host**: Both VMs and pods use the same loopback IP as TEP - **Same GENEVE overlay**: No separate overlay networks needed - **Shared infrastructure**: Same physical network, same switches, same routing ### Operational Simplicity - **One control plane**: OVN manages everything - **One data plane**: OVS handles all traffic - **Consistent troubleshooting**: Same tools and techniques ### Performance - **No double encapsulation**: Pods don't need separate overlay - **Efficient routing**: Direct pod-to-VM communication via GENEVE - **Optimal bandwidth**: Shared infrastructure utilization ## References - [OVN-Kubernetes Documentation](https://github.com/ovn-org/ovn-kubernetes) - [OVN Architecture](https://www.ovn.org/en/architecture/) - [OpenStack OVN Documentation](https://docs.redhat.com/en/documentation/red_hat_openstack_platform/14/html-single/networking_with_open_virtual_network/index)