Edit

Purpose: For network engineers, shows how to configure CNI plugins, load balancers, and network policies, covering network topology through security.

Kubernetes networking in openCenter is highly configurable. This guide shows you how to configure CNI plugins, load balancers, subnets, and network security.

Prerequisites

  • openCenter CLI installed

  • Cluster configuration created

  • Understanding of Kubernetes networking concepts (helpful)

Network Topology

Default Network Configuration

openCenter uses these default CIDR ranges:

opencenter:
  cluster:
    kubernetes:
      subnet_pods: "10.42.0.0/16"        # Pod network (65,536 IPs)
      subnet_services: "10.43.0.0/16"    # Service network (65,536 IPs)
    networking:
      subnet_nodes: "10.2.128.0/22"      # Node network (1,024 IPs)

Customize Network Ranges

Change CIDR ranges to avoid conflicts:

opencenter:
  cluster:
    kubernetes:
      subnet_pods: "10.244.0.0/16"
      subnet_services: "10.245.0.0/16"
    networking:
      subnet_nodes: "192.168.1.0/24"

❗ IMPORTANT\ Ensure ranges don’t overlap with:

  • Existing network infrastructure

  • VPN networks

  • Other Kubernetes clusters

CNI Plugin Configuration

Calico (Default)

Calico is enabled by default. For OpenStack clusters, openCenter installs bundled Calico v3.32.0 native projectcalico.org/v3 CRDs, the Tigera operator, and custom-resources-bpf.yaml with eBPF mode enabled after kubeconfig normalization:

opencenter:
  cluster:
    kubernetes:
      network_plugin:
        calico:
          enabled: true
          version: "3.32.0"
          install_method: helm
          network_policy: true

The Calico manifests are bundled in the CLI for offline installation. The target cluster still needs access to the referenced container images or to a registry mirror.

OpenStack Calico eBPF Behavior

The OpenStack bundled installer patches the cluster pod CIDR into Calico’s default IP pool and preserves Tigera’s eBPF settings:

  • linuxDataplane: BPF

  • bpfNetworkBootstrap: Enabled

  • kubeProxyManagement: Enabled

The bundled installer does not use Kubespray Calico interface-detection or encapsulation settings.

Cilium

Enable Cilium with eBPF and kube-proxy replacement:

opencenter:
  cluster:
    kubernetes:
      network_plugin:
        calico:
          enabled: false
        cilium:
          enabled: true
          install_method: helm
          operator_enabled: true
          kube_proxy_replacement: true

📌 NOTE\ Only one CNI plugin can be enabled at a time. For OpenStack clusters, CNI installation is handled after kubeconfig normalization with install_method: helm or install_method: kustomize-helm; Kubespray is not used to install CNIs. Calico accepts those install method values for compatibility, but OpenStack Calico always uses the bundled eBPF manifest installer.

Kube-OVN

Enable Kube-OVN with optional Cilium integration:

opencenter:
  cluster:
    kubernetes:
      network_plugin:
        calico:
          enabled: false
        kube-ovn:
          enabled: true
          install_method: helm
          cilium_integration: true

Load Balancer Configuration

OVN Load Balancer (Default)

Use OVN for load balancing (no external dependency):

opencenter:
  cluster:
    kubernetes:
      loadbalancer_provider: "ovn"
    networking:
      use_octavia: false
      loadbalancer_provider: "ovn"

Octavia Load Balancer

Use OpenStack Octavia for production load balancing:

opencenter:
  cluster:
    kubernetes:
      loadbalancer_provider: "octavia"
    networking:
      use_octavia: true
      loadbalancer_provider: "octavia"

Requirements:

  • OpenStack cloud with Octavia service

  • Sufficient Octavia quota

MetalLB

Use MetalLB for bare metal or VMware:

opencenter:
  cluster:
    kubernetes:
      loadbalancer_provider: "metallb"

Configure IP address pool:

# In GitOps repository after setup
# applications/overlays/<cluster>/services/metallb/ipaddresspool.yaml
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: default
  namespace: metallb-system
spec:
  addresses:
  - 192.168.1.100-192.168.1.200

No Load Balancer

Disable load balancer (NodePort only):

opencenter:
  cluster:
    kubernetes:
      loadbalancer_provider: "none"

VRRP Configuration

Enable VRRP

For high availability without Octavia:

opencenter:
  cluster:
    networking:
      vrrp_enabled: true
      vrrp_ip: "10.0.0.10"
      use_octavia: false

❗ IMPORTANT\ vrrp_ip is required when use_octavia=false and vrrp_enabled=true.

Disable VRRP

When using Octavia:

opencenter:
  cluster:
    networking:
      vrrp_enabled: false
      use_octavia: true

DNS Configuration

Cluster DNS

Configure DNS nameservers for nodes:

opencenter:
  cluster:
    networking:
      dns_nameservers:
        - "8.8.8.8"
        - "8.8.4.4"

Use internal DNS:

opencenter:
  cluster:
    networking:
      dns_nameservers:
        - "10.0.0.53"
        - "10.0.0.54"

OpenStack Designate

Enable DNS integration with OpenStack Designate:

opencenter:
  cluster:
    networking:
      use_designate: true
      dns_zone_name: "k8s.example.com"
    kubernetes:
      dns_zone_name: "k8s.example.com"

Configure Designate in infrastructure:

opencenter:
  infrastructure:
    cloud:
      openstack:
        networking:
          designate:
            dns_zone_name: "k8s.example.com"

NTP Configuration

Configure time synchronization:

opencenter:
  cluster:
    networking:
      ntp_servers:
        - "time.sjc3.rackspace.com"
        - "time2.sjc3.rackspace.com"

Use public NTP:

opencenter:
  cluster:
    networking:
      ntp_servers:
        - "0.pool.ntp.org"
        - "1.pool.ntp.org"

VLAN Configuration

OpenStack VLAN

Configure VLAN for OpenStack networking:

opencenter:
  infrastructure:
    cloud:
      openstack:
        networking:
          vlan:
            id: "100"
            mtu: 1500
            provider: "physnet1"

Cluster VLAN

Configure VLAN at cluster level:

opencenter:
  cluster:
    networking:
      vlan:
        id: "100"
        mtu: 1500
        provider: "physnet1"

Network Allocation

Node Network Allocation

Configure IP allocation pool for nodes:

opencenter:
  cluster:
    networking:
      subnet_nodes: "10.2.128.0/22"
      allocation_pool_start: "10.2.128.10"
      allocation_pool_end: "10.2.131.250"

This reserves:

  • 10.2.128.1-9 for infrastructure (gateway, DNS, etc.)

  • 10.2.128.10-10.2.131.250 for nodes

  • 10.2.131.251-254 for future use

Kubernetes API Access

API Port

Configure Kubernetes API server port:

opencenter:
  cluster:
    kubernetes:
      api_port: 443  # Default HTTPS port

Use custom port:

opencenter:
  cluster:
    kubernetes:
      api_port: 6443  # Traditional Kubernetes port

API Access Control

Configure allowed CIDR blocks for API access:

opencenter:
  cluster:
    k8s_api_port_acl:
      - "10.0.0.0/8"      # Internal network
      - "192.168.1.0/24"  # Office network

Allow from anywhere (not recommended for production):

opencenter:
  cluster:
    k8s_api_port_acl:
      - "0.0.0.0/0"

Network Security

OS Hardening

Enable operating system network hardening:

opencenter:
  cluster:
    networking:
      security:
        os_hardening: true

This configures:

  • Firewall rules

  • Kernel parameters (IP forwarding, etc.)

  • Network security modules

CA Certificates

Add custom CA certificates:

opencenter:
  cluster:
    networking:
      security:
        ca_certificates: |
          -----BEGIN CERTIFICATE-----
          MIIDXTCCAkWgAwIBAgIJAKZ...
          -----END CERTIFICATE-----

Gateway API Configuration

Enable Gateway API

Gateway API is enabled by default:

opencenter:
  services:
    gateway-api:
      enabled: true
    gateway:
      enabled: true

HTTPRoute Hostname Format

Services use this hostname pattern:

<service>.<org>.<cluster>.<region>.k8s.opencenter.cloud

Example:

auth.my-org.my-cluster.sjc3.k8s.opencenter.cloud

Configure base domain:

opencenter:
  cluster:
    base_domain: "k8s.opencenter.cloud"
    cluster_fqdn: "my-cluster.sjc3.k8s.opencenter.cloud"

Network Validation

Validate network configuration:

opencenter cluster validate

This checks:

  • CIDR ranges don’t overlap

  • Required fields are set (VRRP IP when needed)

  • Network topology is valid

  • DNS configuration is correct

Apply Network Changes

After changing network configuration:

  1. Validate:

       ```bash
   opencenter cluster validate
   ```
. *Regenerate manifests:*
       ```bash
   opencenter cluster generate
   ```
. *Review changes:*
       ```bash
   cd <git_dir>
   git diff
   ```
. *Commit and push:*
    ```bash
git add .
git commit -m "Update network configuration"
git push
```

⚠️ WARNING\ Changing CNI plugin or network ranges on existing clusters requires cluster rebuild.

Troubleshooting

Pod Network Issues

Problem: Pods can’t communicate

Solution: Check CNI plugin status:

kubectl get pods -n calico-system
kubectl get tigerastatus calico
kubectl get pods -n kube-system -l k8s-app=cilium
kubectl get pods -n kube-system -l app.kubernetes.io/part-of=kube-ovn

Verify interface configuration:

kubectl exec -n calico-system <calico-pod> -- ip addr

Load Balancer Not Working

Problem: LoadBalancer services stuck in Pending

Solution: Check load balancer provider:

# For Octavia
kubectl logs -n kube-system <openstack-cloud-controller-manager-pod>

# For MetalLB
kubectl get ipaddresspool -n metallb-system
kubectl logs -n metallb-system <metallb-controller-pod>

DNS Resolution Fails

Problem: Pods can’t resolve DNS names

Solution: Check CoreDNS:

kubectl get pods -n kube-system | grep coredns
kubectl logs -n kube-system <coredns-pod>

Verify DNS configuration:

kubectl get configmap coredns -n kube-system -o yaml

VRRP IP Conflict

Problem: VRRP IP already in use

Solution: Choose different IP:

opencenter:
  cluster:
    networking:
      vrrp_ip: "10.0.0.11"  # Different IP

Verify IP is not in use:

ping 10.0.0.11  # Should timeout

Next Steps

  • customize-services.md[Customize Services] - Configure network-related services

  • add-worker-pools.md[Add Worker Pools] - Scale network capacity

  • troubleshoot-deployment.md[Troubleshoot Deployment] - Fix network issues

Evidence

This how-to guide is based on:

  • Network defaults: internal/config/defaults.go:177-179,204-205

  • CNI configuration: internal/config/defaults.go:214-237

  • Schema network plugin: schema/cluster.schema.json:300-400

  • Load balancer config: internal/config/defaults.go:206

  • VRRP validation: tests/features/workflow.feature:38-50

  • Session 1 networking review: A7

  • Session 2 facts inventory: B0 section 5