NSX Container Plugin (NCP) provides integration between NSX and container orchestrators such as Kubernetes, as well as integration between NSX and container-based PaaS (platform as a service) software products such as OpenShift.
This guide describes setting up NCP with OpenShift 4. To set up NCP with OpenShift 3, see the NCP 2.5 version of this guide.
The main component of NCP runs in a container and communicates with NSX Manager and with the OpenShift control plane. NCP monitors changes to containers and other resources and manages networking resources such as logical ports, switches, routers, and security groups for the containers by calling the NSX Policy API.
The NSX CNI plugin runs on each OpenShift node. It monitors container life cycle events, connects a container interface to the guest vSwitch, and programs the guest vSwitch to tag and forward container traffic between the container interfaces and the VNIC.
- Automatically creates an NSX logical topology for a OpenShift cluster, and creates a separate logical network for each OpenShift namespace.
- Connects OpenShift pods to the logical network, and allocates IP and MAC addresses.
- Supports network address translation (NAT) and allocates a separate SNAT IP for each OpenShift namespace.
Note: When configuring NAT, the total number of translated IPs cannot exceed 1000.
- Implements OpenShift network policies with NSX distributed firewall.
- Support for ingress and egress network policies.
- Support for IPBlock selector in network policies.
- Support for matchLabels and matchExpression when specifying label selectors for network policies.
- Implements OpenShift route with NSX layer 7 load balancer.
- Support for HTTP route and HTTPS route with TLS edge termination.
- Support for routes with alternate backends and wildcard subdomains.
- Creates tags on the NSX logical switch port for the namespace, pod name, and labels of a pod, and allows the administrator to define NSX security groups and policies based on the tags.
