Adds live migration procedures for sdn to ovnk

modules/checking-cluster-resources-after-initiating-limited-live-migration.adoc

@@ -0,0 +1,223 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="checking-cluster-resources-after-initiating-limited-live-migration_{context}"]
+= Checking cluster resources after initiating the limited live migration
+
+The following procedure shows you how to check for egress IP resources, egress firewall resources, multicast enabled namespaces, and network policies when your deploying is using OVN-Kubernetes. If you had these resources on OpenShift SDN, you should check them after migration to ensure that they are working properly.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have successfully migrated from OpenShift SDN to OVN-Kubernetes by using the limited live migration.
+
+.Procedure
+
+. As an {product-title} cluster administrator, check for egress firewall resources. You can do this by using the `oc` CLI, or by using the {product-title} web console.
+
+.. To check for egress firewall resource by using the `oc` CLI tool:
+
+... To check for egress firewall resources, enter the following command:
++
+[source,terminal]
+----
+$ oc get egressfirewalls.k8s.ovn.org -A
+----
++
+.Example output
++
+[source,terminal]
+----
+NAMESPACE    NAME                      AGE
+<namespace>  <example_egressfirewall>   5d
+----
+
+... You can check the intended behavior of an egress firewall resource by using the `-o yaml` flag. For example:
++
+[source,terminal]
+----
+$ oc get egressfirewall <example_egressfirewall> -n <namespace> -o yaml
+----
++
+.Example output
++
+[source,terminal]
+----
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: <example_egress_policy>
+  namespace: <namespace>
+spec:
+  egress:
+  - type: Allow
+    to:
+      cidrSelector: 192.168.0.0/16
+  - type: Deny
+    to:
+      cidrSelector: 0.0.0.0/0
+----
++
+Ensure that the behavior of this resource is intended because it could have changed after migration. For more information about egress firewalls, see "Configuring an egress firewall for a project".
+
+.. To check for egress firewall resources by using the {product-title} web console:
+
+... On the {product-title} web console, click *Observe* -> *Metrics*.
+
+... In the *Expression* box, type `ovnkube_controller_num_egress_firewall_rules` and click *Run queries*. If you have egress firewall resources, they are returned in the *Expression* box.
+
+. Check your cluster for egress IP resources. You can do this by using the `oc` CLI, or by using the {product-title} web console.
+
+.. To check for egress IPs by using the `oc` CLI tool:
+
+... To list the namespace with egress IP resources, enter the following command:
++
+[source,terminal]
+----
+$ oc get egressip
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME                EGRESSIPS    ASSIGNED NODE                              ASSIGNED EGRESSIPS
+egress-sample       192.0.2.10   ip-10-0-42-79.us-east-2.compute.internal   192.0.2.10
+egressip-sample-2   192.0.2.14   ip-10-0-42-79.us-east-2.compute.internal   192.0.2.14
+----
+
+... To provide detailed information about an egress IP, enter the following command:
++
+[source,terminal]
+----
+$ oc get egressip <egressip_name> -o yaml
+----
++
+.Example output
++
+[source,terminal]
+----
+apiVersion: k8s.ovn.org/v1
+kind: EgressIP
+metadata:
+  annotations:
+    kubectl.kubernetes.io/last-applied-configuration: |
+      {"apiVersion":"k8s.ovn.org/v1","kind":"EgressIP","metadata":{"annotations":{},"name":"egressip-sample"},"spec":{"egressIPs":["192.0.2.12","192.0.2.13"],"namespaceSelector":{"matchLabels":{"name":"my-namespace"}}}}
+  creationTimestamp: "2024-06-27T15:48:36Z"
+  generation: 7
+  name: egressip-sample
+  resourceVersion: "125511578"
+  uid: b65833c8-781f-4cc9-bc96-d970259a7631
+spec:
+  egressIPs:
+  - 192.0.2.12
+  - 192.0.2.13
+  namespaceSelector:
+    matchLabels:
+      name: my-namespace
+----
++
+Repeat this for all egress IPs. Ensure that the behavior of each resource is intended because it could have changed after migration. For more information about EgressIPs, see "Configuring an EgressIP address".
+
+.. To check for egress IPs by using the {product-title} web console:
+
+... On the {product-title} web console, click *Observe* -> *Metrics*.
+
+... In the *Expression* box, type `ovnkube_clustermanager_num_egress_ips` and click *Run queries*. If you have egress firewall resources, they are returned in the *Expression* box.
+
+. Check your cluster for multicast enabled namespaces. You can only do this by using the `oc` CLI.
+
+.. To locate namespaces with multicast enabled, enter the following command:
++
+[source,terminal]
+----
+$ oc get namespace -o json | jq -r '.items[] | select(.metadata.annotations."k8s.ovn.org/multicast-enabled" == "true") | .metadata.name'
+----
++
+.Example output
++
+[source,terminal]
+----
+namespace1
+namespace3
+----
+
+.. To describe each multicast enabled namespace, enter the following command:
++
+[source,terminal]
+----
+$ oc describe namespace <namespace>
+----
++
+.Example output
++
+[source,terminal]
+----
+Name:         my-namespace
+Labels:       kubernetes.io/metadata.name=my-namespace
+              pod-security.kubernetes.io/audit=restricted
+              pod-security.kubernetes.io/audit-version=v1.24
+              pod-security.kubernetes.io/warn=restricted
+              pod-security.kubernetes.io/warn-version=v1.24
+Annotations:  k8s.ovn.org/multicast-enabled: true
+              openshift.io/sa.scc.mcs: s0:c25,c0
+              openshift.io/sa.scc.supplemental-groups: 1000600000/10000
+              openshift.io/sa.scc.uid-range: 1000600000/10000
+Status:       Active
+----
++
+Ensure that multicast functionality is correctly configured and working as expected in each namespace. For more information, see "Enabling multicast for a project".
+
+. Check your cluster's network policies. You can only do this by using the `oc` CLI.
+
+.. To obtain information about network policies within a namespace, enter the following command:
++
+[source,terminal]
+----
+$ oc get networkpolicy -n <namespace>
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME              POD-SELECTOR   AGE
+allow-multicast   app=my-app     11m
+----
+
+.. To provide detailed information about the network policy, enter the following command:
++
+[source,terminal]
+----
+$ oc describe networkpolicy allow-multicast -n <namespace>
+----
++
+.Example output
++
+[source,terminal]
+----
+Name:         allow-multicast
+Namespace:    my-namespace
+Created on:   2024-07-24 14:55:03 -0400 EDT
+Labels:       <none>
+Annotations:  <none>
+Spec:
+  PodSelector:     app=my-app
+  Allowing ingress traffic:
+    To Port: <any> (traffic allowed to all ports)
+    From:
+      IPBlock:
+        CIDR: 224.0.0.0/4
+        Except: 
+  Allowing egress traffic:
+    To Port: <any> (traffic allowed to all ports)
+    To:
+      IPBlock:
+        CIDR: 224.0.0.0/4
+        Except: 
+  Policy Types: Ingress, Egress
+----
++
+Ensure that the behavior of the network policy is as intended. Optimization for network policies differ between SDN and OVN-K, so users might need to adjust their policies to achieve optimal performance for different CNIs. For more information, see "About network policy".

modules/checking-cluster-resources-before-initiating-limited-live-migration.adoc

@@ -0,0 +1,136 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="checking-cluster-resources-before-initiating-limited-live-migration_{context}"]
+= Checking cluster resources before initiating the limited live migration
+
+Before migrating to OVN-Kubernetes by using the limited live migration, you should check for egress IP resources, egress firewall resources, and multicast-enabled namespaces on your OpenShift SDN deployment. You should also review any network policies in your deployment. If you find that your cluster has these resources before migration, you should check their behavior after migration to ensure that they are working as intended.
+
+The following procedure shows you how to check for egress IP resources, egress firewall resources, multicast-enabled namespaces, network policies, and an NNCP. No action is necessary after checking for these resources.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+. As an {product-title} cluster administrator, check for egress firewall resources. You can do this by using the `oc` CLI, or by using the {product-title} web console.
+
+.. To check for egress firewall resource by using the `oc` CLI tool:
+
+... To check for egress firewall resources, enter the following command:
++
+[source,terminal]
+----
+$ oc get egressnetworkpolicies.network.openshift.io -A
+----
++
+.Example output
++
+[source,terminal]
+----
+NAMESPACE    NAME                      AGE
+<namespace>  <example_egressfirewall>  5d
+----
+
+... You can check the intended behavior of an egress firewall resource by using the `-o yaml` flag. For example:
++
+[source,terminal]
+----
+$ oc get egressnetworkpolicy <example_egressfirewall> -n <namespace> -o yaml
+----
++
+.Example output
++
+[source,terminal]
+----
+apiVersion: network.openshift.io/v1
+kind: EgressNetworkPolicy
+metadata:
+  name: <example_egress_policy>
+  namespace: <namespace>
+spec:
+  egress:
+  - type: Allow
+    to:
+      cidrSelector: 0.0.0.0/0
+  - type: Deny
+    to:
+      cidrSelector: 10.0.0.0/8
+----
+
+.. To check for egress firewall resources by using the {product-title} web console:
+
+... On the {product-title} web console, click *Observe* -> *Metrics*.
+
+... In the *Expression* box, type `sdn_controller_num_egress_firewalls` and click *Run queries*. If you have egress firewall resources, they are returned in the *Expression* box.
+
+. Check your cluster for egress IP resources. You can do this by using the `oc` CLI, or by using the {product-title} web console.
+
+.. To check for egress IPs by using the `oc` CLI tool:
+
+... To list namespaces with egress IP resources, enter the following command
++
+[source,terminal]
+----
+$ oc get netnamespace -A | awk '$3 != ""'
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME        NETID      EGRESS IPS
+namespace1  14173093   ["10.0.158.173"]
+namespace2  14173020   ["10.0.158.173"]
+----
+
+.. To check for egress IPs by using the {product-title} web console:
+
+... On the {product-title} web console, click *Observe* -> *Metrics*.
+
+... In the *Expression* box, type `sdn_controller_num_egress_ips` and click *Run queries*. If you have egress firewall resources, they are returned in the *Expression* box.
+
+. Check your cluster for multicast enabled namespaces. You can do this by using the `oc` CLI, or by using the {product-title} web console.
+
+.. To check for multicast enabled namespaces by using the `oc` CLI tool:
+
+... To locate namespaces with multicast enabled, enter the following command:
++
+[source,terminal]
+----
+$ oc get netnamespace -o json | jq -r '.items[] | select(.metadata.annotations."netnamespace.network.openshift.io/multicast-enabled" == "true") | .metadata.name'
+----
++
+.Example output
++
+[source,terminal]
+----
+namespace1
+namespace3
+----
+
+.. To check for multicast enabled namespaces by using the {product-title} web console:
+
+... On the {product-title} web console, click *Observe* -> *Metrics*.
+
+... In the *Expression* box, type `sdn_controller_num_multicast_enabled_namespaces` and click *Run queries*. If you have multicast enabled namespaces, they are returned in the *Expression* box.
+
+. Check your cluster for any network policies. You can do this by using the `oc` CLI.
+
+.. To check for network policies by using the `oc` CLI tool, enter the following command:
++
+[source,terminal]
+----
+$ oc get networkpolicy -n <namespace>
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME              POD-SELECTOR   AGE
+allow-multicast   app=my-app     11m
+----