Managing virtual network interfaces for OpenShift Virtualization

Virtual Private Cloud 4.20 and later Bare metal worker nodes only RHCOS only OVN-Kubernetes CNI required

You can use Virtual Network Interfaces (VNIs) to enable advanced network connectivity for virtual machines (VMs) running on Red Hat OpenShift on IBM Cloud clusters with OpenShift Virtualization.

Understanding Virtual Network Interfaces

A Virtual Network Interface (VNI) is an IBM Cloud VPC abstraction that represents individual network connections. VNIs embed properties of a network connection, such as IP addresses, MAC addresses, and the VPC subnet they belong to.

VNIs are available only on clusters with bare metal worker nodes.

Red Hat OpenShift on IBM Cloud uses VNI-based network attachments to enable flexible connectivity between workloads running on the cluster and outside the cluster. VNIs enable direct network exposure of OpenShift Virtualization-based virtual machines (VMs) to the VPC network by using OVN User Defined Networks (UDN) with the Localnet topology. With VNIs attached to bare metal worker nodes, live migrations of VMs can preserve network connections, as the VNI can implicitly float and follow the VM workload between bare metal worker instances within the same zone.

Key features

Static VNIs per worker node
When you create a bare metal-based Red Hat OpenShift on IBM Cloud cluster or a new worker pool in IBM Cloud VPC, two VNIs are automatically created and attached statically to every bare metal worker node. One VNI handles regular worker traffic (pod network, overlay UDNs, and master communication). The second VNI acts as a carrier for dynamic VNI attachments that you manage.
Dynamic VNI attachments
You can create and manage VNIs on-demand after cluster creation. Dynamic VNIs can be attached to specific workers or configured to float between workers in the same zone, following VM workloads during live migration.
Live migration support
With VNIs attached to bare metal worker nodes, live migrations of OpenShift Virtualization-based VMs can preserve network connections. The VNI implicitly floats and follows the workload between bare metal worker instances within the same zone.

For important limitations and considerations about VNIs, see Limitations and considerations.

Cross-account attachment

In Red Hat OpenShift on IBM Cloud, worker nodes are not provisioned in your account, which means the lifecycle management of VNIs is slightly different from standalone VPC bare metal instances. The Red Hat OpenShift on IBM Cloud cluster administrator has different visibility to the attachments of the VNIs because they are attached to workloads that are not visible within the account. The differences in VNI management are covered in this documentation.

For more information about VNIs on standalone VPC bare metal instances, see About virtual network interfaces.

Limitations and considerations

Static VNI modifications
Do not modify the static VNIs that are automatically created for each worker node. While these VNIs are visible in your VPC account, any changes to their settings are not supported. This includes attaching floating IPs, changing security groups, or modifying any other VNI properties. Modifying static VNIs can cause cluster connectivity issues.
VNI modification restrictions for floating attachments
You cannot modify VNI properties for floating (cluster-scoped) dynamic attachments. This includes changes to the VNI name, Floating IP addresses, Infrastructure NAT settings, and security group assignments. To update these settings, you must first detach the VNI, make your changes, and then reattach it to the cluster. This limitation is temporary.
Zone constraints
VNIs are attached to a specific VPC subnet and cannot float between zones. In multi-zone Red Hat OpenShift on IBM Cloud clusters, VNIs can handle traffic only for workloads running on cluster workers in the same zone where the VNI is provisioned. This also means you must avoid OpenShift Virtualization VM live migration between zones when the specific VM is using a VNI on a Localnet UDN.
Bare metal requirement
VNIs are only supported on bare metal worker nodes. Virtual server instance (VSI) worker nodes do not support VNIs.
RHCOS requirement
Worker nodes must run Red Hat CoreOS (RHCOS) operating system.
OVN-Kubernetes CNI
Clusters must use the OVN-Kubernetes Container Network Interface (CNI) plugin.
Version requirement
VNI support requires OpenShift 4.20 or later.
Localnet UDN restrictions
Localnet UDNs have IP Address Management (IPAM) disabled on the OVN side, which means static IP address assignment to pods does not happen from OVN. This configuration is designed for VM workloads that use DHCP or set up static IPs inside the guest operating system. Regular pods cannot be attached to localnet UDNs.

Prerequisites

Before you begin, make sure that you have the following resources and permissions.

  • A Red Hat OpenShift on IBM Cloud cluster at version 4.20 or later with bare metal worker nodes
  • VPC infrastructure with VNIs created
  • RHCOS operating system on worker nodes
  • OpenShift Virtualization Operator installed
  • Storage configured for OpenShift Virtualization
  • The Operator platform access role for Kubernetes Service in IBM Cloud IAM
  • The Editor or Administrator platform access role for VPC Infrastructure Services in IBM Cloud IAM
  • Allowlisted account access for VNI features
  • OVN-Kubernetes CNI (required for VNI support in 4.20+)

For general information about multi-network configurations, see the Red Hat OpenShift multiple networks documentation.

Creating overlay UDNs for Pods and VMs

You can create overlay User Defined Networks for use with pods or VM workloads. The OpenShift console UI experience for User Defined Networks is subject to change with recent releases. The examples in this documentation use YAML definitions for reusability.

Creating a Primary UDN

To use a Primary User Defined Network for pods or VM workload, first create the UDN itself.

Example for a Cluster User Defined Network that can be used across namespaces:

apiVersion: k8s.ovn.org/v1
kind: ClusterUserDefinedNetwork
metadata:
  name: primary
spec:
  namespaceSelector:
    matchLabels:
      kubernetes.io/metadata.name: green
  network:
    layer2:
      ipam:
        lifecycle: Persistent
      role: Primary
      subnets:
        - 10.0.0.0/24
    topology: Layer2

Then, create the namespace(s) that will use it. The namespace must contain a specific label (called k8s.ovn.org/primary-user-defined-network) on creation for Primary UDN usage.

Example:

kind: Namespace
apiVersion: v1
metadata:
  name: green
  labels:
    k8s.ovn.org/primary-user-defined-network: ''

Once the (C)UDN and the namespaces are in place, any workload created in this namespace will access the UDN with the default route.

Creating a Secondary UDN

Secondary UDN configuration is similar to Primary UDN, but with the role set to Secondary. For detailed information, see the Red Hat OpenShift multiple networks documentation.

Exposing VMs with VPC load balancers

You can expose VMs without using UDN or localnet VNI by using VPC Application Load Balancers. For more information about configuring load balancers, see About VPC load balancers.

Setting up localnet user defined networks

Localnet UDNs require preparation of the Red Hat OpenShift on IBM Cloud cluster's OVN network. On bare metal cluster nodes, the two static network interfaces have predictable names on the host operating system. The network interface dedicated to carrying dynamic attached VNI traffic is called eth1. Leveraging Localnet requires the creation of a dedicated OVS bridge on the bare metal cluster nodes, on top of eth1. Prepare a VLAN ID that you will use to attach the VNIs. It will be referred to in the CUDN resource as well.

Installing the NMState operator

OpenShift Virtualization Service clusters have the NMState operator pre-installed and managed by the openshift-virtualization add-on. Skip this step if you're using Virtualization Service.

  1. Deploy the NMState Operator from the OperatorHub in the Red Hat OpenShift on IBM Cloud console or by using the CLI.

  2. Create an NMState instance with the default configuration.

    apiVersion: nmstate.io/v1
kind: NMState
metadata:
  name: nmstate
spec:
  probeConfiguration:
    dns:
      host: root-servers.net

Creating the OVS bridge

OpenShift Virtualization Service clusters have the required NNCP resources pre-configured. You only need to create these resources manually for standard OpenShift clusters with manual OpenShift Virtualization installation.

  1. Create a dedicated OVS bridge with eth1 attached to it by deploying the following NMState custom resource.

    apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: "br-eth1"
spec:
  desiredState:
    interfaces:
    - name: "br-eth1"
      description: A dedicated OVS bridge with a NIC as a port
      type: ovs-bridge
      state: up
      bridge:
        allow-extra-patch-ports: true
        options:
          stp: false
        port:
        - name: "eth1"

  2. Check the custom resource status and wait until all applicable cluster nodes reconcile the bridge creation request.

  3. Patch the new OVS bridge to the default one by creating the following NMState custom resource. Replace vpc-vlans with your desired network name.

    apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: "vpc-vlans"
spec:
  desiredState:
    ovn:
      bridge-mappings:
      - localnet: "vpc-vlans"
        bridge: "br-eth1"
        state: present

  4. Check the custom resource status and wait until all applicable cluster nodes reconcile the bridge mapping request.

Creating a localnet user defined network

Create a UDN or ClusterUserDefinedNetwork (CUDN) that makes available the traffic from VNIs by using the selected VLAN.

apiVersion: k8s.ovn.org/v1
kind: ClusterUserDefinedNetwork
metadata:
  name: "vlan250"
spec:
  namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: In
      values:
      - "default"
  network:
    topology: Localnet
    localnet:
      role: "Secondary"
      physicalNetworkName: "vpc-vlans"
      ipam:
        mode: Disabled
      vlan:
        mode: Access
        access:
          id: 250

Replace the following values:

  • vlan250: The name of your CUDN
  • default: The namespace where you want to use the CUDN
  • vpc-vlans: The physical network name you defined in the bridge mapping
  • 250: Your desired VLAN ID (range: 1-500)

This concludes the network plumbing of a specific VLAN. You can define multiple CUDNs by using different VLAN IDs while reusing the bridge mappings.

After completing the localnet UDN setup, you can attach VNIs to the cluster by using the IBM Cloud console or the IBM Cloud CLI ks vni command. See the examples in the following sections.

Attaching VNIs to your cluster

After you set up the localnet UDN, you can attach VNIs to your cluster by using the IBM Cloud console or CLI.

Before you begin

  1. Create VNIs in your VPC with the appropriate subnet and IP address configuration.

  2. Make sure that you have the required permissions to manage both the cluster and VNIs.

Attaching a VNI from the console

You can attach a VNI to a specific worker node (non-floating) or to the cluster (floating). Floating VNIs can follow workloads between workers in the same zone.

VNIs, subnets, and worker nodes are zonal resources. The VNI compute zone must match the selected worker zone. For floating attachments, the zone of the VNI is assumed, and the floating attachment also has the zone constraint. VNIs can be attached from arbitrary subnets, but only from within the same VPC as the cluster.

  1. From the Red Hat OpenShift on IBM Cloud clusters console, select your cluster.

  2. In the navigation menu, click Networking > VNI attachments.

  3. Click Attach VNIs.

  4. In the Attach VNIs panel, configure the following settings:

    • Subnet: Select the subnet where your VNI is located. Only subnets in the same zone as your worker nodes are available.
    • Worker node: Select a specific worker node to attach the VNI to, or select All worker nodes to create a floating VNI attachment that can follow workloads between workers in the same zone.
    • VNI: Select the VNI to attach from the available VNIs in the selected subnet.
    • VLAN ID: Enter the VLAN ID (range: 1-500) that matches your localnet UDN configuration.
    • Auto-delete: Optional. Select this option to automatically delete the VNI when it is removed from the cluster.

  5. Click Attach.

Attaching a VNI from the CLI

You can attach a VNI to a specific worker node (non-floating) or to the cluster (floating). Floating VNIs can follow workloads between workers in the same zone.

VNIs, subnets, and worker nodes are zonal resources. The VNI compute zone must match the selected worker zone. For floating attachments, the zone of the VNI is assumed, and the floating attachment also has the zone constraint. VNIs can be attached from arbitrary subnets, but only from within the same VPC as the cluster.

To attach a VNI to a specific worker node, run the following command.

ibmcloud ks vni attach baremetal --worker WORKER_ID --vni VNI_ID --vlan VLAN_ID [--auto-delete]

To attach a floating VNI to the cluster, run the following command.

ibmcloud ks vni attach baremetal --cluster-id CLUSTER_ID --vni VNI_ID --vlan VLAN_ID [--auto-delete]
--worker WORKER_ID
The ID of the worker node. To list worker IDs, run ibmcloud ks workers --cluster CLUSTER.
--cluster-id CLUSTER_ID
The ID of the cluster. To list cluster IDs, run ibmcloud ks clusters.
--vni VNI_ID
The ID of the VNI to attach.
--vlan VLAN_ID
The VLAN ID for the attachment (range: 1-500). This must match the VLAN ID in your CUDN configuration.
--auto-delete
Optional: Automatically delete the VNI when it is removed from the cluster.

Example

ibmcloud ks vni attach baremetal --vni 0716-aac49630-f3b4-4ef6-9a3a-5145481697ba --worker kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000123 --vlan 251

Example output

OK
Successfully attached VNI 0716-aac49630-f3b4-4ef6-9a3a-5145481697ba to worker node kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000123.
Worker Node ID                                         VNI ID                                      VLAN ID
kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000123   0716-aac49630-f3b4-4ef6-9a3a-5145481697ba   251

Viewing VNI attachments

You can view VNI attachments from the IBM Cloud console or by using the CLI.

Viewing VNI attachments from the console

  1. From the Red Hat OpenShift on IBM Cloud clusters console, select your cluster.

  2. In the navigation menu, click Networking > VNI attachments.

  3. The Virtual network interface attachments page displays a table with the following information for each attached VNI:

    • VNI name: The name of the virtual network interface
    • Worker node name: The worker node where the VNI is attached, or indicates if it's a floating attachment
    • Subnet: The VPC subnet associated with the VNI
    • VLAN ID: The VLAN ID used for the attachment
    • Primary IP: The primary IP address of the VNI

  4. Optional: Use the filters at the top of the page to filter VNIs by subnet or worker node.

Viewing VNI attachments from the CLI

To list all VNIs attached to a cluster, run the following command.

ibmcloud ks vni ls --cluster-id CLUSTER_ID

To list VNIs attached to a specific worker, run the following command.

ibmcloud ks vni ls --worker WORKER_ID

Example output

ibmcloud ks vni ls --cluster-id c9pqfcmw0tq431jdnrrg

OK
VNI ID                                      Worker Node                                            IP Address   MAC Address         VLAN   Floating   Auto-delete
0716-d97d3626-acb2-476b-8b12-bcafa1dec5bb   kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000456   10.240.1.5   02:00:02:00:73:A5   250    -          false
0716-aac49630-f3b4-4ef6-9a3a-5145481697ba   kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000123   10.240.1.4   02:00:01:00:73:A5   251    -          false

Detaching VNIs

You can detach VNIs from the IBM Cloud console or by using the CLI.

Detaching VNIs from the console

  1. From the Red Hat OpenShift on IBM Cloud clusters console, select your cluster.

  2. In the navigation menu, click Networking > VNI attachments.

  3. In the Virtual network interface attachments table, find the VNI you want to detach.

  4. Click the actions menu icon (⋯) for the VNI and select Detach.

  5. In the confirmation dialog, click Detach to confirm the action.

Detaching VNIs from the CLI

To detach a VNI from a worker node, you must specify both the VNI ID and the worker ID.

ibmcloud ks vni detach --worker WORKER_ID --vni VNI_ID

For floating VNIs, first list the VNIs to find the current worker ID, then detach using that worker ID.

Example

ibmcloud ks vni detach --vni 0716-aac49630-f3b4-4ef6-9a3a-5145481697ba --worker kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000123

Detach VNI 0716-aac49630-f3b4-4ef6-9a3a-5145481697ba from worker node kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000123? This action cannot be undone. [y/N]> y
OK
Successfully detached VNI 0716-aac49630-f3b4-4ef6-9a3a-5145481697ba from worker node kube-c9pqfcmw0tq431jdnrrg-mycluster-default-00000123.

Using VNIs with OpenShift Virtualization

After you attach VNIs and configure localnet UDNs, you can use them with OpenShift Virtualization VMs.

  1. Create VMs with OpenShift Virtualization and add the CUDN as a secondary network. Localnet attachments cannot be used as primary networks. You can use the OpenShift Console to add the attachment.

  2. Specify the MAC address for the attachment to allow the VM operating system to get its IP address by using DHCP. Alternatively, you can assign the VNI IP address statically to the respective network interface in the VM.

For more information about creating and managing VMs, see the following Red Hat documentation:

Troubleshooting VNIs

Why can't I attach regular pods to localnet UDNs?

Localnet UDNs have IP Address Management (IPAM) disabled on the OVN side, which means static IP address assignment to pods does not happen from OVN. This configuration is designed for VM workloads that use DHCP or set up static IPs inside the guest operating system. These options are not available for pod workloads.

Why is live migration pending across worker pools?

Different worker pools might have different worker flavors with CPUs from different generations and capabilities. If the full CPU feature set is transparently visible to the VM workload, you cannot live migrate the VM to another worker that does not support all the CPU features. You can limit the guest operating system visible CPU features at the beginning to gain more compatibility across worker flavors.

Why are dynamic attached VNIs not working?

Check the following items:

  • Verify that the VLAN ID in the CUDN matches the VLAN ID in the VNI attachment. VPC DHCP might still work without further traffic if the VLAN is mismatched.
  • If floating is not enabled, make sure the workload is scheduled on the worker where the VNI is attached.
  • Verify that the dedicated OVS bridge and the mapping are present on the workers. Check the NodeNetworkConfigurationPolicy resource status.