The document outlines the integration of OpenShift with Kuryr to manage hybrid workloads on OpenStack, emphasizing connectivity between pods and virtual machines through various networking configurations. It details the Kuryr controller's high availability, load balancing features, and service interaction including ClusterIP and load balancer types. Additionally, it highlights future enhancements, including resource management and support for multi-homed pod networks.

1. OpenShift/Kuryr
Bridging the infrastructure gap
Vikas Choudhary
Antoni Segura Puimedon
Luis Tomás Bolívar

2. Hybrid workloads
One infrastructure

3. Already demoed
❏ Connectivity
❏ Pod <-> Pod
❏ Pod <-> VM
❏ Neutron ovs hybrid mode
❏ ManageIQ integration
❏ Pod networking shows up under Networks -> Network Port

4. Enter OpenShift

5. ● Open Source PaaS rebuilt
around Container Standards
● Leverages Kubernetes
● Brings SELinux isolation to
container environments
● Uses flannel when deployed on
OpenStack
● Native master HA with haproxy
in front of the masters
OpenShift on
OpenStack

6. Getting it all together

7. ● Replaces kube-proxy and
flannel
● Gets networking from the
underlying Keystone + Neutron
deployment
● Pods get security groups
applied
● Can expose services with FIPs
and the OpenShift router
● Kuryr Controller HA**
● OpenShift services get
translated to LBaaSv2 entities
that vendors can implement
OpenShift/Kuryr on
OpenStack

8. Openshift
integration
● Leverages the Kubernetes
integration
● Giving back Kuryr upstream:
○ HTTPS client support
○ Pod-in-VM via trunk
Neutron ports
○ Resource Management
● Neutron plugins:
○ ovs hybrid (tested)
○ ovs native (tested)
○ Dragonflow

9. Trunk ports
● Segments VM tap device with
containers
● Up to 4094 containers per VM
● Communication between
containers goes to the host ovs
where it gets SG
● Other segmentation types
possible
● Handled by Kuryr CNI in the VM
side and ovs-agent on the Host
side

10. Controller - CNI pod creation interaction

11. Services

12. OpenShift services
● Mapped to an OpenStack
Neutron Lbaas v2 loadbalancer
with a listener per exposed port
● Applied to both infra services
and App services
● Supports ClusterIP and
Loadbalancer* type
● By default uses Round Robin
policy for giving access to the
service pods
● Reachable by the Nova
instances of the cluster

13. OpenShift router
● Runs as a service with one or
more pods on the Host
networking
● Runs haproxy to direct traffic to
the exposed service endpoints
● Allows mapping arbitrary
hostnames to services
● HTTP and HTTPS support
● Gets networked by Kuryr by a
load balancer, two listeners and
a FIP
● Needs a DNS server to have a
wildcard entry pointing to the
FIP
# OpenShift router
local-zone: "demo.kuryr.org" redirect
local-data: "demo.kuryr.org. IN A 10.12.21.70"

14. Controller - OpenStack ClusterIP service interaction

15. Demo

16. Kuryr Kubernetes demo

17. Demo functionality
❏ Connectivity
❏ Pod-in-VM <-> Pod-in-VM
❏ Pod-in-VM -> ClusterIP service
❏ VM <-> Pod-in-another-VM
❏ Services
❏ ClusterIP type
❏ Replica resizing
❏ Neutron ovs native mode

18. Stay tuned
❏ Connectivity
❏ Pod <-> Pod
❏ Pod <-> VM
❏ Pod-in-VM (vlan trunk mode)
❏ Neutron native ovs firewall driver
❏ Services
❏ LBaaSv2 based service implementation*
❏ Replica scaling*
❏ OpenShift router support**
❏ Loadbalancer type
❏ Resource Management
❏ Pod resource reusal

19. Stay tuned (2/2)
❏ HA
❏ Active - Passive Controller
❏ Multi homed
❏ Pods with multiple Neutron networks
❏ Pods with dpdk
❏ Ironic integration

20. Q&A