1 # Service Function Chaining(SFC) - setup
5 This project offers a means for deploying a Kubernetes cluster
6 that satisfies the requirements of ovn4nfv sfc-setup
10 This project uses [Vagrant tool][2] for provisioning Virtual Machines
11 automatically. The [setup](setup.sh) bash script contains the
12 Linux instructions to install dependencies and plugins required for
13 its usage. This script supports two Virtualization technologies
14 (Libvirt and VirtualBox).
17 $ sudo ./setup.sh -p libvirt
19 There is a `default.yml` in the `./config` directory which creates multiple vm.
21 Once Vagrant is installed, it's possible to provision a vm using
22 the following instructions:
26 In-depth documentation and use cases of various Vagrant commands [Vagrant commands][3]
27 is available on the Vagrant site.
33 Install the [docker](https://docs.docker.com/engine/install/ubuntu/) in the master, minion01 and minion02 vm.
34 Follow the steps in [create cluster kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) to create kubernetes cluster in master
35 In the master vm run the `kubeadm init` as below. The ovn4nfv uses same pod network cidr `10.233.64.0/18`
37 $ kubeadm init --kubernetes-version=1.19.0 --pod-network-cidr=10.233.64.0/18 --apiserver-advertise-address=<master_eth0_ip_address>
39 Deploy the ovn4nfv Pod network to the cluster.
41 $ kubectl apply -f ovn4nfv-pod-network/ovn-daemonset.yaml
42 $ kubectl apply -f ovn4nfv-pod-network/ovn4nfv-k8s-plugin.yaml
44 Join minion01 and minion02 by running the `kubeadm join` on each node as root as mentioned in [create cluster kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
48 ssh into the TM1 vm and run the following command to attach TM1 to the left provider network.
50 $ ip addr flush dev eth1
51 $ ip link add link eth1 name eth1.100 type vlan id 100
52 $ ip link set dev eth1.100 up
53 $ ip addr add 172.30.10.101/24 dev eth1.100
54 $ ip route del default
55 $ ip route add default via 172.30.10.3
59 ssh into the TM2 vm and run the following command to attach TM2 to the right provider network.
61 $ ip addr flush dev eth1
62 $ ip link add link eth1 name eth1.200 type vlan id 200
63 $ ip link set dev eth1.200 up
64 $ ip addr add 172.30.20.2/24 dev eth1.200
66 Run the following commands to create virutal router
68 $ ip route add 172.30.10.0/24 via 172.30.20.3
69 $ ip route add 172.30.33.0/24 via 172.30.20.3
70 $ ip route add 172.30.44.0/24 via 172.30.20.3
73 $ echo 1 > /proc/sys/net/ipv4/ip_forward
74 $ /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
75 $ iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
76 $ iptables -A FORWARD -i eth1.200 -o eth0 -j ACCEPT
80 Deploy the SDEWAN controller in cluster
82 $ git clone https://github.com/akraino-edge-stack/icn-sdwan.git
83 $ cd icn-sdwan/platform/crd-ctrlr
84 $ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml --validate=false
85 $ kubectl apply -f examples/sdewan-controller.yaml
87 From TM1 try to ping google.com, the ping operation will fails.
89 Deploy the SFC as following
91 $ kubectl apply -f demo/sfc-setup/deploy/sfc-network.yaml
92 $ kubectl apply -f demo/sfc-setup/deploy/slb-ngfw-sdewan-cnf-deployment.yaml
93 $ kubectl apply -f demo/sfc-setup/deploy/ms1.yaml
95 ## Test Scenario - to comprehend multiple deployment variations
96 ![sfc-test-scenario-diagram](../../images/sfc-test-scenario-diagram.png)
98 This show the test scenario we created in this demo.
100 Pinging for goole.com or curl example.com should fail in both ms1 and TM1
102 $ kubectl apply -f demo/sfc-setup/deploy/sfc.yaml
104 Pinging for google.com or curl example.com should be successful in both ms1 and TM1
106 ## Traffic from external entities with sfc
107 ![sfc-test-scenario-tm1-to-internet](../../images/sfc-test-scenario-tm1-to-internet.png)
109 ## Traffic from pod within the cluster with sfc
110 ![sfc-test-scenario-ms1-to-internet](../../images/sfc-test-scenario-ms1-to-internet.png)
112 Let try to apply icmp reject rule in SDEWAN cnf
114 $ kubectl apply -f demo/sfc-setup/deploy/firewall-dyn-net-2.yaml
115 $ kubectl apply -f demo/sfc-setup/deploy/firewall-right-pnetwork.yaml
116 $ kubectl apply -f demo/sfc-setup/deploy/firewall-rule-reject-icmp-right-pnetwork.yaml
118 ## Traffic from external entities with sfc - SDEWAN icmp reject
119 ![sfc-test-scenario-tm1-icmp-blocked](../../images/sfc-test-scenario-tm1-icmp-blocked.png)
121 ## Traffic from pod within the cluster with sfc - SDEWAN icmp reject
122 ![sfc-test-scenario-ms1-icmp-blocked](../../images/sfc-test-scenario-ms1-icmp-blocked.png)
124 Pinging for google.com will fail and curl example.com should be successful in both ms1 and TM1
130 [1]: https://www.vagrantup.com/
131 [2]: https://www.vagrantup.com/docs/cli/
132 [3]: https://www.github.com/akraino-edge-stack/icn-sdwan