1 # Service Function Chaining(SFC) - setup
5 This project offers a means for deploying a Kubernetes cluster
6 that satisfies the requirements of ovn4nfv sfc-setup
10 This project uses [Vagrant tool][2] for provisioning Virtual Machines
11 automatically. The [setup](setup.sh) bash script contains the
12 Linux instructions to install dependencies and plugins required for
13 its usage. This script supports two Virtualization technologies
14 (Libvirt and VirtualBox).
17 $ sudo ./setup.sh -p libvirt
19 There is a `default.yml` in the `./config` directory which creates multiple vm.
21 Once Vagrant is installed, it's possible to provision a vm using
22 the following instructions:
26 In-depth documentation and use cases of various Vagrant commands [Vagrant commands][3]
27 is available on the Vagrant site.
31 ### How to create K8s cluster?
33 Install the [docker](https://docs.docker.com/engine/install/ubuntu/) in the master, minion01 and minion02 vm.
34 Follow the steps in [create cluster kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) to create kubernetes cluster in master
35 In the master vm run the `kubeadm init` as below. The ovn4nfv uses same pod network cidr `10.233.64.0/18`.
36 Join minion01 and minion02 by running the `kubeadm join` on each node as root as mentioned in [create cluster kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
38 Please follow the ovn4nfv installation steps - [ovn4nfv installation](https://github.com/ovn4nfv/ovn4nfv-k8s-plugin#quickstart-installation-guide)
42 ssh into the TM1 vm and run the following command to attach TM1 to the left provider network.
44 $ ip addr flush dev eth1
45 $ ip link add link eth1 name eth1.100 type vlan id 100
46 $ ip link set dev eth1.100 up
47 $ ip addr add 172.30.10.101/24 dev eth1.100
48 $ ip route del default
49 $ ip route add default via 172.30.10.3
53 ssh into the TM2 vm and run the following command to attach TM2 to the right provider network.
55 $ ip addr flush dev eth1
56 $ ip link add link eth1 name eth1.200 type vlan id 200
57 $ ip link set dev eth1.200 up
58 $ ip addr add 172.30.20.2/24 dev eth1.200
60 Run the following commands to create virutal router
62 $ ip route add 172.30.10.0/24 via 172.30.20.3
63 $ ip route add 172.30.33.0/24 via 172.30.20.3
64 $ ip route add 172.30.44.0/24 via 172.30.20.3
67 $ echo 1 > /proc/sys/net/ipv4/ip_forward
68 $ /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
69 $ iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
70 $ iptables -A FORWARD -i eth1.200 -o eth0 -j ACCEPT
74 Deploy the SDEWAN controller in cluster
76 $ git clone https://github.com/akraino-edge-stack/icn-sdwan.git
77 $ cd icn-sdwan/platform/crd-ctrlr
78 $ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml --validate=false
79 $ kubectl apply -f examples/sdewan-controller.yaml
81 From TM1 try to ping google.com, the ping operation will fails.
83 Deploy the SFC as following
85 $ kubectl apply -f demo/sfc-setup/deploy/sfc-network.yaml
86 $ kubectl apply -f demo/sfc-setup/deploy/slb-ngfw-sdewan-cnf-deployment.yaml
87 $ kubectl apply -f demo/sfc-setup/deploy/ms1.yaml
89 ## Test Scenario - to comprehend multiple deployment variations
90 ![sfc-test-scenario-diagram](../../images/sfc-test-scenario-diagram.png)
92 This show the test scenario we created in this demo.
94 Pinging for goole.com or curl example.com should fail in both ms1 and TM1
96 $ kubectl apply -f demo/sfc-setup/deploy/sfc.yaml
98 Pinging for google.com or curl example.com should be successful in both ms1 and TM1
100 ## Traffic from external entities with sfc
101 ![sfc-test-scenario-tm1-to-internet](../../images/sfc-test-scenario-tm1-to-internet.png)
103 ## Traffic from pod within the cluster with sfc
104 ![sfc-test-scenario-ms1-to-internet](../../images/sfc-test-scenario-ms1-to-internet.png)
106 Let try to apply icmp reject rule in SDEWAN cnf
108 $ kubectl apply -f demo/sfc-setup/deploy/firewall-dyn-net-2.yaml
109 $ kubectl apply -f demo/sfc-setup/deploy/firewall-right-pnetwork.yaml
110 $ kubectl apply -f demo/sfc-setup/deploy/firewall-rule-reject-icmp-right-pnetwork.yaml
112 ## Traffic from external entities with sfc - SDEWAN icmp reject
113 ![sfc-test-scenario-tm1-icmp-blocked](../../images/sfc-test-scenario-tm1-icmp-blocked.png)
115 ## Traffic from pod within the cluster with sfc - SDEWAN icmp reject
116 ![sfc-test-scenario-ms1-icmp-blocked](../../images/sfc-test-scenario-ms1-icmp-blocked.png)
118 Pinging for google.com will fail and curl example.com should be successful in both ms1 and TM1
124 [1]: https://www.vagrantup.com/
125 [2]: https://www.vagrantup.com/docs/cli/
126 [3]: https://www.github.com/akraino-edge-stack/icn-sdwan