Architecture

The Fabric Services System Kubernetes Controller

The Fabric Services Kubernetes Controller (FSC) is a controller that is deployed in the master nodes, and allows the configuration of a fabric using the Connect service. It is responsible for monitoring the networking configuration of OpenShift, including the management of:

• Network Attachment Definitions
• Workload Connectivity Intents
• Workload Interfaces

The FSC uses Network Attachment Definitions and automatically updates Network Attachment Definitions with the information needed for the Fabric Services System CNI to function properly.

The FSC also monitors the creation of the Workload Connectivity Intents custom resource; and, based on the information stored in those Workload Connectivity Intents, creates the appropriate workload VPN intents and subnets inside the Fabric Services System. This allows the management of application networks through OpenShift.

Finally, the FSC monitors the Workload Interface custom resource and uses the information they store to create the appropriate sub-interfaces in the Fabric Services System. This provides the applications with connectivity to the subnets configured in the Workload Connectivity Intents.

The Fabric Services System Kubernetes Helper CNI

The Fabric Services System Kubernetes Helper CNI is a CNI that does not manipulate or change anything in the networking configuration of the pod or the worker node.

Its purpose is to learn about the relationship between a pod, a worker node the pod is running on, the Network Attachment Definition, and the physical interfaces used by that Network Attachment Definition.

When a pod is scheduled on a specific worker node, Kubelet will execute Multus for the networking of the pod. Multus in turn will look at the annotations of the pod to determine the Network Attachment Definitions to which the pod needs connectivity. When Multus processes these Network Attachment Definitions, it first executes the CNI mentioned in the Network Attachment Definition, which configures the pod networking. After that, Multus also executes the Fabric Services System Kubernetes Helper CNI.

When this CNI is executed, it learns:

• the hostname of the worker node it is being executed on
• the Network Attachment Definition for which it is being executed
• the master interface of that Network Attachment Definition
• the physical interface or interfaces and the VLAN used by that master interface

The CNI then makes sure that a Workload Interface custom resource for each interface is present in the Kubernetes API for the combination of that information (Hostname, Network Attachment Definition name and VLAN).

This Workload Interface in turn triggers the FSC to provision the appropriate sub-interfaces in the correct subnet in the Fabric Services System.

Workload Connectivity Intent CRD

The Workload Connectivity Intent (WCI) is a custom resource definition that the FSC registers in the Kubernetes API.

It is used to describe the relationship between Network Attachment Definitions and how they need to be connected to each other.

It allows the connection of multiple Network Attachment Definitions into the same subnet inside the Fabric Services System, and makes it possible to combine different types of Network Attachment Definitions into a single Layer-2 VRF (MAC-VRF).

Workload Interface CRD

The Workload Interface (WLI) is a custom resource definition that the FSC registers in the Kubernetes API.

It instructs the FSC to create the appropriate sub-interfaces for each combination of:

• worker node hostname
• VLAN
• Network Attachment Definition

The FSC uses this information to make sure the above combination is configured properly as sub-interface in the subnet in the Fabric Services System that is associated with that Network Attachment Definition. That association is learned through the Workload Connectivity Intent that references the Network Attachment Definition.