-
egress firewall is also known as egress network policy in OpenShift SDN. This is not the same as network policy egress.
-
Does not support egress rules and some
ipBlock
rules.
The OpenShift Container Platform cluster uses a virtualized network for pod and service networks. The OVN-Kubernetes Container Network Interface (CNI) plug-in is a network provider for the default cluster network. OVN-Kubernetes is based on Open Virtual Network (OVN) and provides an overlay-based networking implementation. A cluster that uses the OVN-Kubernetes network provider also runs Open vSwitch (OVS) on each node. OVN configures OVS on each node to implement the declared network configuration.
The OVN-Kubernetes Container Network Interface (CNI) cluster network provider implements the following features:
Uses OVN (Open Virtual Network) to manage network traffic flows. OVN is a community developed, vendor-agnostic network virtualization solution.
Implements Kubernetes network policy support, including ingress and egress rules.
Uses the Geneve (Generic Network Virtualization Encapsulation) protocol rather than VXLAN to create an overlay network between nodes.
OpenShift Container Platform offers two supported choices, OpenShift SDN and OVN-Kubernetes, for the default Container Network Interface (CNI) network provider. The following table summarizes the current feature support for both network providers:
Feature | OVN-Kubernetes | OpenShift SDN |
---|---|---|
egress IPs |
Supported |
Supported |
egress firewall [1] |
Supported |
Supported |
egress router |
Not supported |
Supported |
Kubernetes network policy |
Supported |
Partially supported [2] |
Multicast |
Supported |
Supported |
egress firewall is also known as egress network policy in OpenShift SDN. This is not the same as network policy egress.
Does not support egress rules and some ipBlock
rules.
The OVN-Kubernetes Container Network Interface (CNI) cluster network provider has a limitation that is related to traffic policies.
The network provider does not support setting the external traffic policy or internal traffic policy for a Kubernetes service to local
.
The default value, cluster
, is supported for both parameters.
This limitation can affect you when you add a service of type LoadBalancer
, NodePort
, or add a service with an external IP.