|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * virt/vm_networking/virt-connecting-vm-to-linux-bridge.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="virt-linux-bridge-nad-port-isolation.adoc_{context}"] |
| 7 | += Enabling port isolation for a Linux bridge NAD |
| 8 | + |
| 9 | +You can enable port isolation for a Linux bridge network attachment definition (NAD) so that virtual machines (VMs) that run on the same virtual LAN (VLAN) can operate in isolation from one another. The Linux bridge NAD creates a virtual bridge, or _virtual switch_, between network interfaces and the physical network. The Linux bridge NAD configures port numbers on the virtual bridge so that only specific traffic can reach each port. Isolating ports in this way can provide enhanced security, efficient resource use, and performance improvements for VM workloads that run on the same node. |
| 10 | + |
| 11 | +Before you enable port isolation, you must disable hairpin traffic from reaching the isolated ports. |
| 12 | + |
| 13 | +.Prerequisites |
| 14 | + |
| 15 | +* You created Linux bridge NAD by using either the web console or the command-line interface. |
| 16 | +
|
| 17 | +.Procedure |
| 18 | + |
| 19 | +. Edit the Linux bridge NAD by setting `portIsolation` to `true`: |
| 20 | ++ |
| 21 | +[source,yaml] |
| 22 | +---- |
| 23 | +apiVersion: "k8s.cni.cncf.io/v1" |
| 24 | +kind: NetworkAttachmentDefinition |
| 25 | +metadata: |
| 26 | + name: bridge-network |
| 27 | + annotations: |
| 28 | + k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br1 |
| 29 | +spec: |
| 30 | + config: | |
| 31 | + { |
| 32 | + "cniVersion": "0.3.1", |
| 33 | + "name": "bridge-network", <1> |
| 34 | + "type": "bridge", <2> |
| 35 | + "bridge": "br1", <3> |
| 36 | + "portIsolation": "true" <4> |
| 37 | + } |
| 38 | +# ... |
| 39 | +---- |
| 40 | +<1> The name for the configuration. The name must match the the value in the `metadata.name` of the NAD. |
| 41 | +<2> The actual name of the Container Network Interface (CNI) plugin that provides the network for this network attachment definition. Do not change this field unless you want to use a different CNI. |
| 42 | +<3> The name of the Linux bridge that is configured on the node. The name should match the interface bridge name defined in the NodeNetworkConfigurationPolicy manifest. |
| 43 | +<4> Enables or disables port isolation on the virtual bridge. Default value is `false`. When set to `true`, each targeted VM is assigned to a specific port number. The virtual bridge prevents traffic from one isolated port from reaching another port. |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | +. Add the bridge interface and the network attachment definition to the VM configuration as in the following example: |
| 53 | ++ |
| 54 | +[source,yaml] |
| 55 | +---- |
| 56 | +apiVersion: kubevirt.io/v1 |
| 57 | +kind: VirtualMachine |
| 58 | +metadata: |
| 59 | + name: example-vm |
| 60 | +spec: |
| 61 | + template: |
| 62 | + spec: |
| 63 | + domain: |
| 64 | + devices: |
| 65 | + interfaces: |
| 66 | + - bridge: {} |
| 67 | + name: bridge-net <1> |
| 68 | +# ... |
| 69 | + networks: |
| 70 | + - name: bridge-net <2> |
| 71 | + multus: |
| 72 | + networkName: a-bridge-network <3> |
| 73 | +---- |
| 74 | +<1> The name of the bridge interface. |
| 75 | +<2> The name of the network. This value must match the `name` value of the corresponding `spec.template.spec.domain.devices.interfaces` entry. |
| 76 | +<3> The name of the network attachment definition. |
| 77 | + |
| 78 | +. Apply the configuration: |
| 79 | ++ |
| 80 | +[source,terminal] |
| 81 | +---- |
| 82 | +$ oc apply -f example-vm.yaml |
| 83 | +---- |
| 84 | + |
| 85 | +. Optional: If you edited a running virtual machine, you must restart it for the changes to take effect. |
0 commit comments