Certified OpenShift CNI Plug-ins

Updated -

Overview

The Container Network Interface (CNI) badge is a specialization within Red Hat OpenShift certification available to networking products that integrate with OpenShift using a CNI plug-in.

To be eligible for this badge, the CNI plug-in must be deployed and managed through an Operator. Partners must complete the corresponding Operator certification as well as pass several end-to-end tests. The end-to-end tests validate that the CNI plugin meets basic functionality criteria for the following components:

  • Network Conformance
  • OpenShift Virtualization (OpenShift 4.6 and later)
  • OpenShift Service Mesh

Only the Network Conformance tests are required, and the table below indicates which tests were passed by each CNI plugin.

Once the certification is approved, the Operator will be published in the Red Hat Ecosystem Catalog. The certified Operator will also be listed in the OperatorHub section of the OpenShift web console in OpenShift. Partners will receive a logo to promote their product as a CNI plug-in certified for Red Hat OpenShift.

This document contains the list of 3rd party CNI plug-ins that have been certified by Red Hat for use with OpenShift Container Platform.

3rd Party CNI Plugins

Cisco

Partner Product Version Platform Installer Type OpenShift Version Tests [1]
Cisco ACI 5.1.3, 5.2 OSP 13 UPI 4.6 Net
Cisco ACI 5.2 OSP 16.1 UPI 4.6, 4.7, 4.8, 4.9, 4.10 Net
Cisco ACI 5.2 OSP 16.2 UPI 4.8, 4.9, 4.10, 4.11 Net
Cisco ACI 5.2 vSphere UPI 4.6, 4.7, 4.8, 4.9, 4.10 Net
Cisco ACI 5.2 BM UPI 4.6, 4.7, 4.8, 4.9, 4.10 Net
Cisco ACI 5.2 BM UPI 4.8, 4.9, 4.10 Net, Virt

Isovalent

Partner Product Version Installer Type OpenShift Version Tests [1]
Isovalent Cilium 1.9 UPI and IPI 4.5 [2] Net
Isovalent Cilium 1.9 UPI and IPI 4.6, 4.7 Net, Virt
Isovalent Cilium 1.10, 1.11,1.12 UPI and IPI 4.9, 4.10 Net

Juniper

Partner Product Version Installer Type OpenShift Version Tests [1]
Juniper Cloud Native Contrail (CN2) 22.3 Assisted Inst. 4.8, 4.10 Net, Virt

Tigera

Partner Product Version Installer Type OpenShift Version Tests [1]
Tigera Calico Core 3.12 UPI 4.2 [2] Net
Tigera Calico Core 3.14 UPI 4.3 [2] Net
Tigera Calico Core 3.15 UPI 4.4 [2] Net
Tigera Calico Core 3.16 UPI 4.5 [2] Net
Tigera Calico Core 3.17, 3.18, 3.19 IPI 4.6 Net, Virt
Tigera Calico Core 3.20 UPI 4.6 Net, Virt
Tigera Calico Core 3.17, 3.18, 3.19 IPI 4.7 Net, Virt
Tigera Calico Core 3.17, 3.18, 3.19, 3.20 UPI 4.7 Net, Virt
Tigera Calico Core 3.20, 3.21, 3.22 IPI 4.8 Net, Virt
Tigera Calico Core 3.20, 3.21, 3.22 UPI 4.8 Net, Virt
Tigera Calico Core 3.20, 3.21, 3.22 IPI 4.9 Net, Virt
Tigera Calico Core 3.20, 3.21, 3.22 UPI 4.9 Net, Virt

VMware

Partner Product Version Installer Type OpenShift Version Tests [1]
VMware NCP 3.0.2 w/NSX-T3.x+ UPI 4.4 [2] Net
VMware Antrea 0.13.1 IPI 4.6, 4.7 Net

[1] The only test required for CNI certification is for Network Conformance. The tests executed and passed are indicated as follows:

  • Net - Network Conformance
  • Virt - OpenShift Virtualization
  • Mesh - OpenShift Service Mesh

    [2] This version of the product has reached End-of-Support.

10 Comments

Hi Antonios, I have a customer asking about Calico support for 4.6+. The table doesn't show this. Can you provide an update on when we could expect certification for these releases?

It's confuse what is "certified" cni plugins, I just discover this alert in a cluster provided by OCP insights

This cluster is running with 3rd party SDN plugin Calico, which will encounter support limitations.

I just made some Installations with calico as SDN on OCP 4.6, 4.7 and 4.8 in azure, aws and vmware. and Yes seems works with these versions.

Follow this table

| Kubernetes  | Openshift | Calico   
--------------------------------------------------------------
|  v1.19      |    4.6    | v3.18.4
|  v1.20      |    4.7    | v3.18.4, v3.19.1 (sometimes fail)
|  v1.21      |    4.8    | v3.19.1

I recommend modify 01-cr-installation.yaml in calico manifests. to set quay.io to download the images, due rate limit of docker.io

# This section includes Calico installation configuration.
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  variant: Calico
  registry: quay.io   ## <---------------
  flexVolumePath: None   ## <------------
  kubernetesProvider: OpenShift
  calicoNetwork:
    bgp: Disabled

On the other hand there is an certified operator https://catalog.redhat.com/software/containers/tigera/operator/5e741d5cac3db903708a77d1 the description shows "The Tigera Operator manages the lifecycle of a Calico or Calico Enterprise installation on Kubernetes or OpenShift. Its goal is to make installation, upgrades, and ongoing lifecycle management of Calico and Calico Enterprise as simple and reliable as possible."

The requirement is to have installed calico as networkType.

We have a certified operator to handle the lifecycle of calico, and insights telling is not fully supported the sdn.

Any idea when "coming soon" for Service Mesh support for the Cisco ACI CNI plugin will be? Specifically for vSphere? We have several customers that use ACI exclusively in their datacenters, and we require Mesh support to implement ACM/ACS. Thank you!

Hi Matthew, for OpenShift Service Mesh certification, we do have a test suite that we're able to share with partners for the purpose of validating their CNI plugins(this one to be specific: https://github.com/maistra/maistra-test-tool), though we haven't published all of the details in the partner guide gitbook yet. We have been in discussions with Cisco for ACI certification, though they haven't completed certification yet. I can't give a specific timeline though, as it's dependent on the priorities of Cisco (to run the tests) and ourselves to validated them.

Did anyone try the Cilium operator installing on ocp 4.8+? where do we get support if needed? Isovalent or RedHat? can you update the article to be clear on where customers would get their support from?

Can we update this CNI table to reflect 4.10?

According to this list Service Mesh is not tested on ANY SDN because it's just listed below the table and not inside. Can you please fix the table!

That is correct. We offer partners the opportunity to provide test results for all three of those test types. It is up to the partner to decide which of the optional tests - OpenShift Virtualization and/or OpenShift Service Mesh - they want to perform for certification.

To this point, no partner has chosen to perform OpenShift Service Mesh testing. Therefore, the table is indeed accurate.

Thanks, even this answer is unexpected. So in return this means if a customer wants to use Service Mesh in a supported way, only out-of-the-box Openshift is the way to go.