OSDOCS-14170: Created doc for enabled port isolation Linux bridge CNI… #92544
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@dfitzmau: This pull request references OSDOCS-14170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@dfitzmau: This pull request references OSDOCS-14170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/XS
openshift-ci
bot
added
size/M
|
🤖 Thu Apr 24 13:40:40 - Prow CI generated the docs preview: |
dfitzmau
force-pushed
the
OSDOCS-14170
branch
7 times, most recently
from
1176d93 to
17fc9f6
Compare
|
@dfitzmau: This pull request references OSDOCS-14170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| [id="virt-linux-bridge-nad-port-isolation.adoc_{context}"] | ||
| = Enabling port isolation for a Linux bridge NAD | ||
|
|
||
| You can enable port isolation for a Linux bridge network attachment definition (NAD) so that virtual machines (VMs) that run on the same virtual LAN (VLAN) can operate in isolation from one another. When you assign an IP address to the virtual bridge, the virtual bridge can act as a gateway. The Linux bridge NAD creates a virtual bridge, or _virtual switch_, between network interfaces and the physical network. The Linux bridge NAD configures port numbers on the virtual bridge so that only specific traffic can reach each port. |
There was a problem hiding this comment.
I think this sentence can be omitted it doesnt seem related to this feature, do I miss something?
"When you assign an IP address to the virtual bridge, the virtual bridge can act as a gateway"
| "name": "bridge-network", <1> | ||
| "type": "bridge", <2> | ||
| "bridge": "br1", <3> | ||
| "hairpinMode": "true", <4> |
There was a problem hiding this comment.
This is actually enable hairpin mode, this line should be omitted because default is false.
There was a problem hiding this comment.
Updated. I add something related in the prerequisites.
| <2> The actual name of the Container Network Interface (CNI) plugin that provides the network for this network attachment definition. Do not change this field unless you want to use a different CNI. | ||
| <3> The name of the Linux bridge that is configured on the node. The name should match the interface bridge name defined in the NodeNetworkConfigurationPolicy manifest. | ||
| <4> Defaults to `false`. When set to `true`, network interfaces that interact with the virtual bridges | ||
| <5> Enables or disables port isolation on the virtual bridge. Default value is `false`. When set to `true`, each targeted VM is assigned to a specific port number. The virtual bridge prevents traffic from one isolated port from reaching another isolated port. |
There was a problem hiding this comment.
Please note this is true for pods as well.
| . Edit the Linux bridge NAD by setting `portIsolation` to `true`: | ||
| + | ||
| [source,yaml] | ||
| ---- |
There was a problem hiding this comment.
I think this example should include additional configuration that are commonly used for VMs, such as vlan, disableContainerInterface, preserveDefaultVlan
"cniVersion":"0.3.1",
"name": "bridge-network",
"type": "bridge",
"bridge": "br1",
"preserveDefaultVlan": false,
"vlan": 100,
"disableContainerInterface": "true",
"portIsolation": "true"
There was a problem hiding this comment.
Added and a description for disableContainerInterface as no description exists in the pre-existing "Creating a Linux bridge NAD by using the command line" section.
dfitzmau
force-pushed
the
OSDOCS-14170
branch
3 times, most recently
from
453bbc4 to
6f3d1b4
Compare
|
@dfitzmau: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Version(s):
4.19+
Issue:
OSDOCS-14170
Link to docs preview:
Enabling port isolation for a Linux bridge NAD