NSX Container Plug-in (NCP) provides integration between NSX-T Data Center and container orchestrators such as Kubernetes, as well as integration between NSX-T Data Center and container-based PaaS (platform as a service) products such as OpenShift and Pivotal Cloud Foundry. This guide describes setting up NCP with Kubernetes and Pivotal Cloud Foundry.
The main component of NCP runs in a container and communicates with NSX Manager and with the Kubernetes control plane. NCP monitors changes to containers and other resources and manages networking resources such as logical ports, switches, routers, and security groups for the containers by calling the NSX API.
The NSX CNI plug-in runs on each Kubernetes node. It monitors container life cycle events, connects a container interface to the guest vSwitch, and programs the guest vSwitch to tag and forward container traffic between the container interfaces and the VNIC.
- Automatically creates an NSX-T Data Center logical topology for a Kubernetes cluster, and creates a separate logical network for each Kubernetes namespace.
- Connects Kubernetes pods to the logical network, and allocates IP and MAC addresses.
- Supports network address translation (NAT) and allocates a separate SNAT IP for each Kubernetes namespace.
Note: When configuring NAT, the total number of translated IPs cannot exceed 1000.
- Implements Kubernetes network policies with NSX-T Data Center distributed firewall.
- Support for ingress and egress network policies.
- Support for IPBlock selector in network policies.
- Support for matchLabels and matchExpression when specifying label selectors for network policies.
- Support for selecting pods in another namespace.
- Implements Kubernetes service of type ClusterIP and service of type LoadBalancer.
- Implements Kubernetes Ingress with NSX-T layer 7 load balancer.
- Support for HTTP Ingress and HTTPS Ingress with TLS edge termination.
- Support for Ingress default backend configuration.
- Support for redirect to HTTPS, path rewrite, and path pattern matching.
- Creates tags on the NSX-T Data Center logical switch port for the namespace, pod name, and labels of a pod, and allows the administrator to define NSX-T security groups and policies based on the tags.
- Multicast is supported between pods in the same namespace, but is not supported between pods in different namespaces.
NCP supports a single Kubernetes cluster. You can have multiple Kubernetes clusters, each with its distinct NCP instance, using the same NSX-T Data Center deployment.