Network Attachment Definitions
A network attachment definition (NAD) is a type of Custom Resource Definitions (CRDs) in a cluster. It provides configuration items, such as VPC and subnet, for containers to connect to the elastic network interface (ENI). Workloads associated with network attachment definitions can connect to the ENI, so that the containers can be directly bound with the ENIs to expose Services externally.
Notes and Constraints
- The use of ENIs in clusters that use the VPC network model is restricted. You are advised to create a CCE Turbo cluster.
- Only clusters whose network model is VPC (with IPv6 disabled) support NADs. If the network model is tunnel network, only default-network is displayed in the list (cannot be modified) and you cannot add NADs.
- This function can be enabled only for clusters of v1.13.7-r0 or later. If clusters of earlier versions require the function, upgrade the clusters to the latest version.
Creating an NAD
- In the navigation pane of the CCE console, choose Resource Management > Network.
- On the Network Attachment Definitions tab page, select a cluster in the upper right corner. Then click Add Network Attachment Definition.
Figure 2 Adding an NAD
By default, default-network is created with the network resources such as tenant_id, vpc_id, and subnet.Figure 3 Default NAD
- Set basic data of the NAD.
- Network Attachment Definition Name: Enter a string of 4-63 characters.
Do not use default-network, default, mgnt0, and mgnt1.
- Cluster Name: Select the cluster to which you want to add the NAD.
- Security Group: A security group provides access policies for ENIs. You can select a maximum of five security groups. If no security group is selected, the default security group is used. You are advised to allow traffic to pass all IP addresses and ports of the VPC where the cluster is located. If not, the cluster cannot be accessed.
- Subnet: Select a subnet. If no subnet is available, click Create a subnet to create a subnet. After the subnet is created, click the refresh button.
Figure 4 Setting NAD parameters
- Network Attachment Definition Name: Enter a string of 4-63 characters.
- Click Create. After the creation is completed, you will be redirected to the NAD list page. You can see that the newly added NAD is in the list.
Figure 5 Successfully created NAD
Using kubectl
- Use kubectl to connect to the cluster. For details, see Connecting to a Cluster Using kubectl.
- Modify the networkattachment-test.yaml file.
vi networkattachment-test.yaml
apiVersion: k8s.cni.cncf.io/v1 kind: NetworkAttachmentDefinition metadata: annotations: tenant_id: 052fd975a300d31e2f90c01ab87e5839 generation: 3 name: test namespace: kube-system spec: config: >- {"cniVersion":"0.2.0","name":"test","type":"eni-neutron","bridge":"br0","args":{"phynet":"phy_net2","vpc_id":"7a4d731e-fe17-4b72-aa17-962b8363b2d3","securityGroups":"3289d598-8e05-40d8-b726-1f2c425d4935","subnetID":"2945a96b-03a0-4e11-9012-746fe09f714d","cidr":"192.168.1.0/24","availableZone":"cn-north-4b","region":"cn-north-4"}}Table 1 Key parameters Parameter
Mandatory
Type
Description
tenant_id
Yes
String
Project ID
config
Yes
Table 2 object
NAD configuration parameters
Table 2 config parameters Parameter
Mandatory
Type
Description
cniVersion
Yes
String
CNI version. Version 0.3.1 is supported.
name
Yes
String
NAD name.
The value can contain 1 to 64 characters, including lowercase letters, digits, and hyphens (-). The value must start with a lowercase letter and end with a lowercase letter or digit.
type
Yes
String
NAD type.
- eni-neutron: ENI network
- vpc-router: VPC routing network
- overlay_l2: container tunnel network
bridge
Yes
String
Bridge (deprecated)
args
Yes
object
NAD configuration parameters.
Table 3 args parameters Parameter
Mandatory
Type
Description
phynet
Yes
String
Physical network plane (deprecated).
vpc_id
Yes
String
VPC ID of the current cluster.
securityGroups
Yes
String
Security group ID. The value contains 1 to 100 characters.
Obtaining the value:
In the management console, choose Service List > Network > Elastic Load Balance. In the navigation pane on the left, choose Access Control > Security Groups. On the page displayed, click the name of the target security group. On the Summary tab page, locate the ID and copy it.
subnetID
Yes
String
Subnet ID not used by the cluster in the same VPC. The value can contain 1 to 100 characters.
Obtaining the value:
On the management console, click Service List, and choose Network > Elastic Load Balance. Click Subnets in the navigation pane. On the Summary tab page, find and copy the ID.
cidr
Yes
String
Classless inter-domain route, that is, the CIDR block of the subnet where the container is deployed.
availableZone
Yes
String
Availability zone (AZ)
An AZ is a physical region where resources use independent power supply and networks. AZs are physically isolated but interconnected through the internal network.
region
Yes
String
Region
Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the nearest region.
- Create an NAD.
kubectl create -f networkattachment-test.yaml
If information similar to the following is displayed, the object has been created.
networkattachmentdefinition.k8s.cni.cncf.io/networkattachment-test created
Pod Networking (ENI)
When creating a pod, you can set an NAD by specifying the k8s.v1.cni.cncf.io/networks: test field in annotations. Currently, only one NAD is supported. If multiple NADs are configured, only the first NAD takes effect. The update operation is not supported.
When you create a pod in a CCE Turbo cluster, the NAD is set to default-network by default. You do not need to set the k8s.v1.cni.cncf.io/networks field.
For details about the data structure of each element in the k8s.v1.cni.cncf.io/networks: test array, see Table 4.
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
name |
Yes |
String |
Name of the NAD to be referenced by the pod. |
Example request:
apiVersion: v1
kind: Pod
metadata:
annotations:
k8s.v1.cni.cncf.io/networks: test
labels:
name: test-pod
name: test-pod
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: test
resources:
requests:
cpu: 100m
imagePullSecrets:
- name: default-secret
restartPolicy: Always
When you query the details about a pod, you can find its NAD attributes in the k8s.v1.cni.cncf.io/network-status field in annotations. For details, see Table 5.
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
Name of the NAD where the pod is deployed. |
|
ips |
Array |
Private IP address of the pod |
|
mac |
String |
MAC address of the ENI. This parameter is displayed only when the Cloud Native Network 2.0 model is used. |
|
default |
Bool |
true: This NAD is the active NAD. false: This NAD is not the active NAD. |
Example Response
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: default
selfLink: /api/v1/namespaces/default/pods/test-pod
uid: 0fd06c29-99ad-4e8d-90f9-35366afbb048
resourceVersion: '640691'
creationTimestamp: '2021-04-08T08:14:46Z'
labels:
name: test-pod
annotations:
k8s.v1.cni.cncf.io/network-status: |-
[{
"name": "test",
"ips": [
"192.168.45.115"
],
"default": true,
"extras": {
"cni.yangtse.io/vpc-port-id": "61b0db5f-333f-4237-ac5b-f8adda236334"
}
}]
k8s.v1.cni.cncf.io/networks: test
kubernetes.io/psp: psp-global
spec:
...
Other Operations
You can delete the newly NAD or view its YAML file.
If an NAD has been bound to a workload and is in use, it cannot be deleted. To delete the NAD, delete the bound workload first.
Last Article: SecurityGroups
Next Article: Adding a Secondary VPC CIDR Block for a Cluster
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.