Best practices for OpenShiftSDN to OVNKubernetes CNI Offline migration

Updated

Migration to OVNKubernetes from OpenShiftSDN had been available since OpenShift Container Platform 4.8. This article lists accumulated wisdom from knowledge base solutions and recent (OCP 4.16 timeframe) updates to documentation. Be sure to start with the Offline migration to the OVN-Kubernetes network plugin overview section of the product documentation in the Networking Guide.

Knowledge base resources

ResourceDescription
OpenShiftSDN CNI removal in OCP 4.17This article explains which releases of OCP with OpenShiftSDN are upgradable and available for new installations. It also has the removal notice for 4.17.
Recommended practice to follow before Openshift SDN network plugin migration to OVNKubernetes pluginA list of pre-checks to perform before migration, with specific guidance on IP address ranges and when and how to use routingViaHost.
Clusters that depend on static routes and/or routing policies on the host network need local gateway mode set during migrationIf pods require host networking routes in order to reach some destinations, additional actions are required.
Unable to add nodes after OpenShift SDN to OVN migrationBe sure to use the latest RHCOS image when adding new nodes.
POD's default CIDR overlaps other external services within networkWhen migrating to OVNKubernetes there are reserved IP address ranges.
OpenShift update stuck after migrating to OVN-Kubernetes with Trident CSICustomer using the NetApp Trident CSI may need to take additional actions when migrating.
OpenShift etcd backup fails with 'FIPS mode is enabled, but the required OpenSSL library is not available'In a FIPS-enabled environment, make sure you are upgrading to a release where this issue has been solved.
Network Cluster Operator stuck in Degraded state due to kube-proxy options during SDN to OVN migrationIf you have configured kubeProxyConfig you may need to take additional actions required to migrate
An externalIP of Service not reachable from other namespaces within the same cluster after OVN migrationWhen using externalIP's with externalTrafficPolicy=Local there may be additional actions required to migrated.
OVN-InterConnection/OVN Node to pod communication not working in Openshift 4.14Cloned disk have been shown to be an issue after an upgrade
When doing offline SDN migration, setting the parameter "spec.migration.features.egressIP" to "false" to disable automatic migration of egressIP configuration doesn't workUpdating "egressIP":false in CNO does not prevent egressIP migration
Does Red Hat support automation steps/script for migration of SDN to OVN?Red Hat does not recommend scripting CNI migrations
Openshift onboard applications performing reserve dns query may face performance issue after migrating OCP cluster from SDN to OVNOpenshift onboard applications performing reverse DNS is observing latency after migration to OVN.
Multitenant isolated ExternalIP is not reachable from other namespaces after OVN migrationWhen using NetworkPolicies to emulate multitenant isolated namespaces, Services using ExternalIP are not reachable from another namespaces after OVN migration.

Recent documentation improvements
The following is a list of improvements that have either been made or have been requested to the migration chapter of the networking guide.

ResourceDescription
Avoid reverting network plugin when migration is in ongoingSee the IMPORTANT note: You must wait until the migration process from OpenShift SDN to OVN-Kubernetes network plugin is successful before initiating a rollback.
If egress firewall rule includes a deny rule for 0.0.0.0/0, access to your OpenShift Container Platform API servers is blockedSee the IMPORTANT note for the additional actions required. This is tracked in This content is not included.OCPBUGS-35079.
Wait for the MCO update to reboot all nodes in Step 2 of the migration procedure before proceedingThis is tracked in This content is not included.OCPBUGS-34823.
This content is not included.Avoid patching network.operator and network.config simultaneously in rollback procedurePatch the network.operator first. Once the networkType is 'OpenShiftSDN' then patch the network.config.
This content is not included.Node reboot should include serial control plane reboot instructionsThe control planes nodes that get rebooted during the migration process should be re-started one at a time.
This content is not included.Upgrade to latest z-stream before SDN to OVN-Kubernetes migrationGet the latest bug fixes that could improve your migration experience
This content is not included.Bonds configured with the primary interface with NMState in SDN are not configurable in OVN-KIt was possible to use the Kubernetes NMState operator to configure a bond on the primary interface in OpenShiftSDN. That is not possible with OVNKubernetes. A cluster in this state migrated to OVNKubernetes will still have a bond configured, but it won't be managable with NMState.

Potential bugs to be aware of

ResourceDescription
This content is not included.ExternalIP is not reachable from other namespaces after OVN migrationDifferent behavior between SDN and OVN-K CNI's detected for reaching externalip from a pod in the cluster
This content is not included.Issue accessing Service NodePort/ExternalIP with externalTrafficPolicy: Local on multitenant isolated projectDifferent behavior detected for a pod behind a service with "externalTrafficPolicy: Local."
This content is not included.ClusterNetwork not working at first start when multiple subnets are configuredClusters with two different clusterNetworks and different hostPrefixes will experience some traffic failing between the two clusterNetworks.
SBR
Category
Components
Article Type