Skip to content

OSC Shoot Peering Extension

Introduction

The osc-gardener-extension-peering service provides a self-service capability for customers to initiate a peering connection between nodes subnets. The service is responsible to ensure proper reconciliation of shootPeering CRs based on the provided extension provider configuration in the Shoot CR.

Supported peering types

  • Shoot peering

ShootPeering

ShootPeering is intended as peering between two or more Shoots running on same Seed or different Seed's within the same Garden cluster.

To properly enable a peering between two or more Shoots, you need to configure for each peered Shoot pair:

  • Shoot B as a peering target on Shoot A
  • Shoot A as a peering target on Shoot B

Enabling the ShootPeering extension

For enabling this extension for a Shoot cluster, the extension service named osc-peering-service needs to be added to the extensions in the Shoot Custom Resource manifest:

apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
spec:
  extensions:
    - type: osc-peering-service
      providerConfig:
        apiVersion: service.peering.extensions.osc.t-systems.com/v1
        kind: PeeringConfig
        shootPeerings:
        - name: <peered target Shoot>
          # garden project name in which Shoot was created
          namespace: garden-<project>
          # Seed name on which Shoot hosted
          seed: <Seed name>
        - name: <another peered target Shoot>
          # garden project name in which Shoot was created
          namespace: garden-<project>
          # Seed name on which Shoot hosted
          seed: <Seed name>

Possible fields:

  • name: the name of the target shoot.
  • namespace: the namespace of the project. It uses the prefix garden- followed by the <project name>.
  • seed: the name of the Seed cluster configured for the shoot resource.

Example of Shoot YAML manifests for multiple peers:

Let assume of three Shoots: peer1, peer2 and peer3 and and the requirement to establish the following peerings:

  • Shoot peer1 with Shoot peer2 (hosted on the same Seed and project)
  • Shoot peer2 with Shoot peer3 (hosted on the different Seed and project)
#Shoot peer1 extension definition - project A Seed A
apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
spec:
  extensions:
    - type: osc-peering-service
      providerConfig:
        apiVersion: service.peering.extensions.osc.t-systems.com/v1
        kind: PeeringConfig
        ShootPeerings:
          - name: peer2
            # namespace of peer2 Shoot: garden-<project name>
            namespace: garden-projectA
            # Seed name on which Shoot "peer2" hosted
            seed: fsA1-0

#Shoot `peer2` extension definition - project A Seed A
apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
spec:
  extensions:
    - type: osc-peering-service
      providerConfig:
        apiVersion: service.peering.extensions.osc.t-systems.com/v1
        kind: PeeringConfig
        ShootPeerings:
          - name: peer1
            # namespace of Shoot peer1: garden-<project name>
            namespace: projectA
            # Seed name on which shoot "peer1" hosted
            seed: fsA1-0
          - name: peer3
            # namespace of Shoot "peer3": garden-<project name>
            namespace: projectB
            # Seed name on which Shoot "peer3" hosted
            seed: fsB2-0

#Shoot `peer3` extension definition - in project B Seed B
apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
spec:
  extensions:
    - type: osc-peering-service
      providerConfig:
        apiVersion: service.peering.extensions.osc.t-systems.com/v1
        kind: PeeringConfig
        ShootPeerings:
          - name: peer2
            # namespace of Shoot "peer2": garden-<project name>
            namespace: garden-projectA
            # Seed name on which Shoot "peer2" hosted
            seed: fsA1-0

Limitations and restrictions

  • No cross-Garden peering:

    Shoot clusters managed by different Garden clusters cannot be peered together.

  • CIDR conflicts:

    • Peering will not work between Shoots with the same node subnet (nodeCIDR).
    • When one Shoot use a default nodeCIDR, peering may only work in one direction (from the Shoot with default CIDR to the Shoot with custom CIDR).

  • Seed Migration Issue:

    Shoot peering may break or behave improperly when Shoot has been migrated to a different Seed cluster.

  • Duplicate peering conflicts:

    Attempting to configure a peering via the extension will result in reconciliation failures if the same peering already exists (not created via osc-shoot-peering-extension). To enable the peering via the extension, the existing manually configured peering have to be removed.

Tips

  • Clean Up Deleted Shoot:

    When a peered Shoot is deleted, update all Shoots that has peering configuration to it.

  • Consistent Naming:

    Use consistent naming conventions for Shoot to avoid configuration errors.

  • CIDR Planning:

    Double check NodeCIDR carefully to avoid overlapping networks that can prevent proper peering.