What is network-node-identity pod?

Solution Unverified - Updated 20 May 2024

Environment

Red Hat OpenShift Container Platform (RHOCP)
- 4.14 and later

Issue

A new Pod named network-node-identity has been added since version 4.14. What is its purpose?

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

In the OVN-Kubernetes CNI plugin, which serves as the container network for OpenShift, there is ovnkube-node DaemonSet on each node. OVN-Kubernetes Node Identity is a feature to restrict the nodes that ovnkube-node can access and to reduce its permissions for security enhancement. The network-node-identity Pod is for implementing that feature. For more details, please see the following upstream documentation.

Content from github.com is not included.ovn-kubernetes/docs/features/infrastructure-security-controls/node-identity.md at master · ovn-org/ovn-kubernetes

Diagnostic Steps

$ oc get pod -n openshift-network-node-identity
NAME                          READY   STATUS    RESTARTS      AGE
network-node-identity-2s2gn   2/2     Running   1 (16h ago)   16h

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

OVN-Kubernetes

Category

Learn more

Tags

ocp_4

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.