1 # Service Function Chaining(SFC) - setup
5 This project offers a means for deploying a Kubernetes cluster
6 that satisfies the requirements of ovn4nfv sfc-setup
10 This project uses [Vagrant tool][2] for provisioning Virtual Machines
11 automatically. The [setup](setup.sh) bash script contains the
12 Linux instructions to install dependencies and plugins required for
13 its usage. This script supports two Virtualization technologies
14 (Libvirt and VirtualBox).
17 $ sudo ./setup.sh -p libvirt
19 There is a `default.yml` in the `./config` directory which creates multiple vm.
21 Once Vagrant is installed, it's possible to provision a vm using
22 the following instructions:
26 In-depth documentation and use cases of various Vagrant commands [Vagrant commands][3]
27 is available on the Vagrant site.
33 Install the [docker](https://docs.docker.com/engine/install/ubuntu/) in the master, minion01 and minion02 vm.
34 Follow the steps in [create cluster kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) to create kubernetes cluster in master
35 In the master vm run the `kubeadm init` as below. The ovn4nfv uses same pod network cidr `10.233.64.0/18`
37 $ kubeadm init --kubernetes-version=1.19.0 --pod-network-cidr=10.233.64.0/18 --apiserver-advertise-address=<master_eth0_ip_address>
39 Deploy the ovn4nfv Pod network to the cluster.
41 $ kubectl apply -f ovn4nfv-pod-network/ovn-daemonset.yaml
42 $ kubectl apply -f ovn4nfv-pod-network/ovn4nfv-k8s-plugin.yaml
44 Join minion01 and minion02 by running the `kubeadm join` on each node as root as mentioned in [create cluster kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
48 ssh into the TM1 vm and run the following command to attach TM1 to the left provider network.
50 $ ip addr flush dev eth1
51 $ ip link add link eth1 name eth1.100 type vlan id 100
52 $ ip link set dev eth1.100 up
53 $ ip addr add 172.30.10.101/24 dev eth1.100
54 $ ip route del default
55 $ ip route add default via 172.30.10.3
59 ssh into the TM2 vm and run the following command to attach TM2 to the right provider network.
61 $ ip addr flush dev eth1
62 $ ip link add link eth1 name eth1.200 type vlan id 200
63 $ ip link set dev eth1.200 up
64 $ ip addr add 172.30.20.2/24 dev eth1.200
66 Run the following commands to create virutal router
68 $ ip route add 172.30.10.0/24 via 172.30.20.3
69 $ ip route add 172.30.33.0/24 via 172.30.20.3
70 $ ip route add 172.30.44.0/24 via 172.30.20.3
73 $ echo 1 > /proc/sys/net/ipv4/ip_forward
74 $ /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
75 $ iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
76 $ iptables -A FORWARD -i eth1.200 -o eth0 -j ACCEPT
80 Deploy the SDEWAN controller in cluster
82 $ git clone https://github.com/akraino-edge-stack/icn-sdwan.git
83 $ cd icn-sdwan/platform/crd-ctrlr
84 $ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml --validate=false
85 $ kubectl apply -f examples/sdewan-controller.yaml
87 From TM1 try to ping google.com, the ping operation will fails.
89 Deploy the SFC as following
91 $ kubectl apply -f demo/sfc-setup/deploy/sfc-network.yaml
92 $ kubectl apply -f demo/sfc-setup/deploy/slb-ngfw-sdewan-cnf-deployment.yaml
93 $ kubectl apply -f demo/sfc-setup/deploy/ms1.yaml
95 ## Test Scenario - to comprehend multiple deployment variations
96 
98 This show the test scenario we created in this demo.
100 Pinging for goole.com or curl example.com should fail in both ms1 and TM1
102 $ kubectl apply -f demo/sfc-setup/deploy/sfc.yaml
104 Pinging for google.com or curl example.com should be successful in both ms1 and TM1
106 ## Traffic from external entities with sfc
107 
109 ## Traffic from pod within the cluster with sfc
110 
112 Let try to apply icmp reject rule in SDEWAN cnf
114 $ kubectl apply -f demo/sfc-setup/deploy/firewall-dyn-net-2.yaml
115 $ kubectl apply -f demo/sfc-setup/deploy/firewall-right-pnetwork.yaml
116 $ kubectl apply -f demo/sfc-setup/deploy/firewall-rule-reject-icmp-right-pnetwork.yaml
118 ## Traffic from external entities with sfc - SDEWAN icmp reject
119 
121 ## Traffic from pod within the cluster with sfc - SDEWAN icmp reject
122 
124 Pinging for google.com will fail and curl example.com should be successful in both ms1 and TM1
130 [1]: https://www.vagrantup.com/
131 [2]: https://www.vagrantup.com/docs/cli/
132 [3]: https://www.github.com/akraino-edge-stack/icn-sdwan