Home  Prev  cOS Stream 4.00.03 CNF Series Getting Started Guide  Next

2.2. Configuration

This section outlines the configuration steps for running the cOS Stream container. The configuration process involves setting up various Kubernetes features and components to ensure that the containerized firewall operates efficiently and securely within the Kubernetes environment.

2.2.1. CPU Manager

Since cOS Stream is running in polled mode and requires dedicated CPU resources, a change to static policy is needed. See the following documentation for more details see:

https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies

Once the static policy is configured you need to set aside dedicated CPUs for pods in the Guaranteed Quality Of Service (QoS) class, for more details see:

https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources

2.2.2. Topology Manager

If Kubernetes is hosted on a server with multiple NUMA nodes, change to single NUMA node policy, see:

https://kubernetes.io/docs/tasks/administer-cluster/topology-manager

2.2.3. Memory Manager

If Kubernetes is hosted on a server with multiple NUMA nodes, change the memory manager policy to "static", see:

https://kubernetes.io/docs/tasks/administer-cluster/memory-manager/

2.2.4. CNI/Device Plugins/Network Attached Definitions

To attach additional Ethernet interfaces, the following steps are needed:

  1. Configure the network interface devices to create the required number of virtual function devices.

  2. Bind the network interface devices (usually virtual function devices) to the correct driver. Mellanox devices can usually stay bound to their default kernel driver, but most other types of network interface devices need to be bound to the vfio-pci driver to work efficiently with the firewall.

  3. Install the required CNIs; Multus, SR-IOV CNI, host-device CNI etc.

  4. Set up the config map for the "SR-IOV Network Device Plugin", which organizes the devices into resource pools that the pods can request resources from. There is an example for this config map in the examples archive in sriovdp-configmap.yaml, but it is just an example and will need to be adjusted to the environment where the plugin will be deployed.

  5. Deploy the "SR-IOV Network Device Plugin".

  6. Set up the Network Attachment Definitions for the extra networks. There are some example network attachment definitions in the examples archive in networks.yaml, but they are just examples and will need to be adjusted to the environment where the firewall will be deployed.

  7. Extend the pod specification with networks annotation and resource requests etc. See Section 3.6, Additional Networks (Multus) for details regarding this step.

2.2.5. SR-IOV CNI config details

Set "spoofchk" to "off", "trust" to "on" and optionally set "vlan" to limit the virtual function to a single VLAN, in the CNI configuration in the network attachment definition objects, see:

https://github.com/k8snetworkplumbingwg/sriov-cni/blob/master/docs/configuration-reference.md

Home  Prev   Next