How to Set Up Multi‑Cluster Networking with Kube‑OVN OVN‑IC

Overview

Kube‑OVN can use the OVN‑IC component to interconnect the pod networks of two Kubernetes clusters, allowing pods to communicate directly via their IP addresses. The inter‑cluster traffic is encapsulated in tunnels, requiring only a set of IP‑reachable machines between the clusters.

Prerequisites

Subnet CIDRs of the clusters must not overlap in automatic mode; overlapping CIDRs require manual interconnection.

A set of machines reachable by each cluster’s kube-ovn-controller is needed for the inter‑cluster controller.

Each cluster must have gateway nodes that can be accessed by IP.

The feature works only with the default VPC; custom VPCs are not supported.

Deploy a Single‑Node OVN‑IC Database

On a machine that the kube-ovn-controller can reach, start the OVN‑IC database container.

docker run --name=ovn-ic-db -d --network=host --privileged \
  -v /etc/ovn/:/etc/ovn \
  -v /var/run/ovn:/var/run/ovn \
  -v /var/log/ovn:/var/log/ovn \
  kubeovn/kube-ovn:v1.10.6 bash start-ic-db.sh

If the environment uses containerd instead of Docker, use:

ctr -n k8s.io run -d --net-host --privileged \
  --mount="type=bind,src=/etc/ovn/,dst=/etc/ovn,options=rbind:rw" \
  --mount="type=bind,src=/var/run/ovn,dst=/var/run/ovn,options=rbind:rw" \
  --mount="type=bind,src=/var/log/ovn,dst=/var/log/ovn,options=rbind:rw" \
  docker.io/kubeovn/kube-ovn:v1.10.6 ovn-ic-db bash start-ic-db.sh

Automatic Route Configuration

When automatic routing is enabled, each cluster synchronizes its default VPC subnet CIDR to the OVN‑IC component. Ensure the CIDRs do not overlap.

Create a ConfigMap ovn-ic-config in the kube-system namespace:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ovn-ic-config
  namespace: kube-system
data:
  enable-ic: "true"
  az-name: "az1"
  ic-db-host: "192.168.65.3"
  ic-nb-port: "6645"
  ic-sb-port: "6646"
  gw-nodes: "az1-gw"
  auto-route: "true"

Key fields: enable-ic: enable inter‑cluster connectivity. az-name: name of the availability zone (cluster). ic-db-host: address of the OVN‑IC database node. ic-nb-port / ic-sb-port: north‑bound and south‑bound database ports (default 6645/6646). gw-nodes: comma‑separated list of gateway node names. auto-route: whether to automatically publish and learn routes.

Verify the logical switch creation with:

# ovn-ic-sbctl showavailability-zone az1    gateway deee03e0-af16-4f45-91e9-b50c3960f809        hostname: az1-gw        type: geneve            ip: 192.168.42.145        port ts-az1            transit switch: ts            address: ["00:00:00:50:AC:8C 169.254.100.45/24"]
# ovn-ic-sbctl showavailability-zone az2    gateway e94cc831-8143-40e3-a478-90352773327b        hostname: az2-gw        type: geneve            ip: 169.254.100.149        port ts-az2            transit switch: ts            address: ["00:00:00:07:4A:59 169.254.100.63/24"]

Check learned routes on each cluster:

# kubectl ko nbctl lr-route-list ovn-cluster
Routes                10.42.1.1            169.254.100.45 dst-ip (learned)
... (additional routes omitted for brevity)

Test connectivity by pinging a pod IP from the opposite cluster.

Manual Route Configuration

If CIDR overlap exists or only specific subnets should be connected, disable automatic routing ( auto-route: "false") and manually add routes.

# kubectl ko nbctl lr-route-add ovn-cluster 10.17.0.0/24 169.254.100.31   # from az1 to az2
# kubectl ko nbctl lr-route-add ovn-cluster 10.16.0.0/24 169.254.100.79   # from az2 to az1

To prevent a subnet from being advertised, set disableInterConnection: true in the Subnet resource:

apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: no-advertise
spec:
  cidrBlock: 10.199.0.0/16
  disableInterConnection: true

High‑Availability OVN‑IC Database Deployment

OVN‑IC databases can form a Raft‑based HA cluster with at least three nodes.

Start the leader node:

docker run --name=ovn-ic-db -d --network=host --privileged \
  -v /etc/ovn/:/etc/ovn \
  -v /var/run/ovn:/var/run/ovn \
  -v /var/log/ovn:/var/log/ovn \
  -e LOCAL_IP="192.168.65.3" \
  -e NODE_IPS="192.168.65.3,192.168.65.2,192.168.65.1" \
  kubeovn/kube-ovn:v1.10.6 bash start-ic-db.sh

Deploy follower nodes (adjust LOCAL_IP and optionally LEADER_IP):

docker run --name=ovn-ic-db -d --network=host --privileged \
  -v /etc/ovn/:/etc/ovn \
  -v /var/run/ovn:/var/run/ovn \
  -v /var/log/ovn:/var/log/ovn \
  -e LOCAL_IP="192.168.65.2" \
  -e NODE_IPS="192.168.65.3,192.168.65.2,192.168.65.1" \
  -e LEADER_IP="192.168.65.3" \
  kubeovn/kube-ovn:v1.10.6 bash start-ic-db.sh

When using containerd, replace docker with the equivalent ctr command as shown earlier.

Update the ovn-ic-config ConfigMap in each cluster to list all database nodes:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ovn-ic-config
  namespace: kube-system
data:
  enable-ic: "true"
  az-name: "az1"
  ic-db-host: "192.168.65.3,192.168.65.2,192.168.65.1"
  ic-nb-port: "6645"
  ic-sb-port: "6646"
  gw-nodes: "az1-gw"
  auto-route: "true"

Cleanup

If a configuration error occurs, remove the ConfigMap and the logical switch:

kubectl -n kube-system delete cm ovn-ic-config
kubectl-ko nbctl ls-del ts
# Repeat the same steps on the peer cluster

After cleanup, you can re‑apply the desired configuration.