-
Notifications
You must be signed in to change notification settings - Fork 10
Network ‐ VLAN OVS Attachment Check
This rule checks if VLAN interfaces explicitly configured for OVS are properly attached to OVS bridges. It identifies OVS VLANs from NodeNetworkConfigurationPolicy (NNCP) resources and NetworkManager ovs-port type connections, then verifies they are present in the OVS bridge port lists.
The rule supports multi-bridge setups and checks ALL bridges with physical ports. It fails if any OVS-configured VLAN interface is detached from any OVS bridge. Only checks VLANs with type ovs-port (VLANs for storage networks, BMC, SR-IOV, or external systems are excluded).
- OpenShift cluster with OVN-Kubernetes networking
- VLAN interfaces configured on nodes
- Open vSwitch installed
- NetworkManager managing network interfaces
- Commands:
nmcli,ovs-vsctl
When OVS-configured VLANs are detached from the OVS bridge:
- Node NotReady state - Node becomes NotReady and cannot run workloads
- Network connectivity loss - VLAN traffic not forwarded through OVS datapath
- Pod communication failures - Pods cannot communicate via VLAN networks
- OVN-Kubernetes malfunction - OVN datapath incomplete, ovs-if-phys0 interface becomes inactive
- Node network isolation - Node loses connectivity on detached VLANs
- Service disruption - Applications relying on VLAN networking fail
This is a critical issue that can cause complete loss of network connectivity and cluster node failures.
Common scenarios causing VLAN detachment:
- MachineConfig Running nmcli Commands
- NetworkManager Profile Deactivation
- OVS Configuration Loss
- Interface Rename or Recreation
- NNCP Application Failure
Check which VLAN interfaces are configured for OVS and whether they are attached to the OVS bridge:
# Get all active VLAN interfaces
nmcli -t -f NAME,DEVICE connection show --active
# List all actual VLAN interfaces on the node (used to verify interface is a real VLAN)
ls /proc/net/vlan/*
# Query NNCP resources to identify cluster-wide OVS VLAN configuration
oc get nodenetworkconfigurationpolicies.nmstate.io -A
# Get active NetworkManager connections with ovs-port type
nmcli -t -f TYPE,DEVICE connection show --active
# List all OVS bridges
ovs-vsctl list-br
# List all ports on each bridge (checked across all bridges with physical ports)
ovs-vsctl list-ports <bridge-name>
# Check which interfaces are hardware-backed (used to identify physical ports)
# Physical NICs (have device symlink - no output means no physical NICs):
ls -d /sys/class/net/*/device
# Bond interfaces (have bonding directory - no output means no bonds):
ls -d /sys/class/net/*/bonding
# Team interfaces (have team directory - no output means no teams):
ls -d /sys/class/net/*/teamFor manual troubleshooting, you can also use these commands:
# Check if VLAN interface exists and is UP
ip link show <vlan-interface>
# Check VLAN connection details in NetworkManager
nmcli connection show <vlan-interface>
# List all ovs-port type connections
nmcli connection show | grep ovs-port
# View NNCP configuration for a specific VLAN
oc get nodenetworkconfigurationpolicies.nmstate.io -A -o yaml | grep -A5 <vlan-interface>The VLAN should appear in both the OVS bridge port list and as an active ovs-port connection in NetworkManager.