:original_name: cce_10_0196.html
.. _cce_10_0196:
NetworkAttachmentDefinition
===========================
Scenario
--------
In a CCE Turbo cluster, you can set the subnet and security group for a container by namespace using NetworkAttachmentDefinition, a `CRD `__ resource in the cluster. After NetworkAttachmentDefinition is configured for a namespace, pods in the namespace support the following functions:
- Binding a container with a subnet: The pod IP address is restricted in a specific CIDR block. Different namespaces can be isolated from each other.
- Binding a container with a security group: Security group rules can be set for pods in the same namespace to customize access policies.
Constraints
-----------
- NetworkAttachmentDefinition is available only in CCE Turbo clusters of v1.23.8-r0, v1.25.3-r0, and later.
- Only **default-network** supports ENI preheating. User-defined container subnets do not support ENI preheating. If ENI preheating is not enabled, workload instance creation slows down. Therefore, this function is not applicable to high-performance pod creation scenarios.
- To delete a NetworkAttachmentDefinition, delete pods (with the annotation named **cni.yangtse.io/network-status**) created using the configuration in the corresponding namespace first. For details, see :ref:`Deleting a Network Configuration `.
Using the CCE Console
---------------------
#. Log in to the CCE console.
#. Click the cluster name to access the cluster console. Choose **System Configuration** in the navigation pane and click the **Network Configuration** tab.
.. note::
Each cluster has a **default-network** for namespaces with no container subnets. The default container subnet displayed in the network information on the networking configuration area is the container subnet in **default-network**. The **default-network** cannot be deleted.
#. Click **Create Network Configurations** in the upper right corner. Configure the basic parameters in the displayed dialog box.
- **Name**: Enter a user-defined name. The name can contain a maximum of 253 characters. Do not use **default-network**, **default**, **mgnt0**, and **mgnt1**.
- **Namespace**: Select a namespace. The namespaces of different configurations must be unique.
- **Subnet**: Select a subnet. If no subnet is available, click **Create Subnet** to create a subnet. After the subnet is created, click the refresh button. A maximum of 20 subnets can be selected.
- **Associate Security Group**: The default value is the container ENI security group. You can also click **Create Security Group** to create one. After the security group is created, click the refresh button.
#. Click **Create**. After the creation is complete, you will be redirected to the network configuration list. You can see that the newly added subnet is in the list.
Using kubectl
-------------
This section describes how to create an NAD using kubectl.
#. Use kubectl to connect to the cluster. For details, see :ref:`Connecting to a Cluster Using kubectl `.
#. Modify the **networkattachment-test.yaml** file.
**vi networkattachment-test.yaml**
.. code-block::
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
annotations:
yangtse.io/project-id: 05e38**
name: example
namespace: kube-system
spec:
config: '
{
"type":"eni-neutron",
"args":{
"securityGroups":"41891**",
"subnets":[
{
"subnetID":"27d95**"
}
]
},
"selector":{
"namespaceSelector":{
"matchLabels":{
"kubernetes.io/metadata.name":"default"
}
}
}
}'
.. table:: **Table 1** Key parameters
+-----------------------+-----------+-------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------+
| Parameter | Mandatory | Type | Description |
+=======================+===========+=====================================================================================+==========================================================================================+
| apiVersion | Yes | String | API version. The value is fixed at **k8s.cni.cncf.io/v1**. |
+-----------------------+-----------+-------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------+
| kind | Yes | String | Type of the object to be created. The value is fixed at **NetworkAttachmentDefinition**. |
+-----------------------+-----------+-------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------+
| yangtse.io/project-id | Yes | String | Project ID. |
+-----------------------+-----------+-------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------+
| name | Yes | String | Configuration item name. |
+-----------------------+-----------+-------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------+
| namespace | Yes | String | Namespace of the configuration resource. The value is fixed to **kube-system**. |
+-----------------------+-----------+-------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------+
| config | Yes | :ref:`Table 2 ` object | Configuration content, which is a string in JSON format. |
+-----------------------+-----------+-------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------+
.. _cce_10_0196__en-us_topic_0000001199021176_table452992692116:
.. table:: **Table 2** config parameters
+-----------------+-----------------+-------------------------------------------------------------------------------------+----------------------------------------------------+
| Parameter | Mandatory | Type | Description |
+=================+=================+=====================================================================================+====================================================+
| type | Yes | String | The value is fixed at **eni-neutron**. |
+-----------------+-----------------+-------------------------------------------------------------------------------------+----------------------------------------------------+
| args | No | :ref:`Table 3 ` | Configuration parameters. |
| | | | |
| | | object | |
+-----------------+-----------------+-------------------------------------------------------------------------------------+----------------------------------------------------+
| selector | No | :ref:`Table 4 ` object | Namespace on which the configuration takes effect. |
+-----------------+-----------------+-------------------------------------------------------------------------------------+----------------------------------------------------+
.. _cce_10_0196__en-us_topic_0000001199021176_table1253012616211:
.. table:: **Table 3** args parameters
+-----------------+-----------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Parameter | Mandatory | Type | Description |
+=================+=================+===========================+=========================================================================================================================================================================================+
| securityGroups | No | String | Security group ID. If no security group is planned, select the same security group as that in **default-network**. |
| | | | |
| | | | Obtaining the value: |
| | | | |
| | | | Log in to the VPC console. In the navigation pane, choose **Access Control** > **Security Groups**. Click the target security group name and copy the ID on the **Summary** tab page. |
+-----------------+-----------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| subnets | Yes | Array of subnetID Objects | List of container subnet IDs. At least one subnet ID must be entered. The format is as follows: |
| | | | |
| | | | .. code-block:: |
| | | | |
| | | | [{"subnetID":"27d95**"},{"subnetID":"827bb**"},{"subnetID":"bdd6b**"}] |
| | | | |
| | | | Subnet ID not used by the cluster in the same VPC. |
| | | | |
| | | | Obtaining the value: |
| | | | |
| | | | Log in to the VPC console. In the navigation pane, choose **Virtual Private Cloud** > **Subnets**. Click the target subnet name and copy the **Subnet ID** on the **Summary** tab page. |
+-----------------+-----------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
.. _cce_10_0196__en-us_topic_0000001199021176_table696412574307:
.. table:: **Table 4** selector parameters
+-------------------+-----------------+--------------------+------------------------------------------------------------------------------------------------+
| Parameter | Mandatory | Type | Description |
+===================+=================+====================+================================================================================================+
| namespaceSelector | No | matchLabels Object | A Kubernetes standard selector. You need to enter the namespace label in the following format: |
| | | | |
| | | | .. code-block:: |
| | | | |
| | | | "matchLabels":{ |
| | | | "kubernetes.io/metadata.name":"default" |
| | | | } |
| | | | |
| | | | Namespaces of different configurations cannot overlap. |
+-------------------+-----------------+--------------------+------------------------------------------------------------------------------------------------+
#. Create a NetworkAttachmentDefinition.
**kubectl create -f networkattachment-test.yaml**
If information similar to the following is displayed, the NetworkAttachmentDefinition has been created.
.. code-block::
networkattachmentdefinition.k8s.cni.cncf.io/example created
.. _cce_10_0196__en-us_topic_0000001199021176_section2314125415245:
Deleting a Network Configuration
--------------------------------
You can delete the new network configuration or view its YAML file.
.. note::
Before deleting a network configuration, delete the container corresponding to the configuration. Otherwise, the deletion fails.
#. Run the following command to filter the pod that uses the configuration in the cluster (**example** is an example configuration name and you should replace it):
.. code-block::
kubectl get po -A -o=jsonpath="{.items[?(@.metadata.annotations.cni\.yangtse\.io/network-status=='[{\"name\":\"example\"}]')]['metadata.namespace', 'metadata.name']}"
The command output contains the pod name and namespace associated with the configuration.
#. Delete the owner of the pod. The owner may be a Deployment, StatefulSet, DaemonSet, or Job.