Requirements for IBM z/OS Container Platform IP addresses
z/OS® Communications Server provides network communications and network-related services for IBM® z/OS Container Platform (zOSCP). The IP addresses for zOSCP are represented as new types of VIPARANGE dynamic VIPAs (DVIPA). A ZCONTAINER DVIPA range is a subnet of DVIPAs that are created when assigned to containers and Pods as they are started. A ZCPA DVIPA is a DVIPA that is configured to an IBM z/OS Control Plane Appliance (zCPA) instance and is created when the zCPA is started.
z/OS network administrator
Defining IP addresses for a container
You need to define the range of dynamic VIPAs to be used when starting a container by using Podman for IBM z/OS (Podman) or when deploying a Pod within a Kubernetes cluster. This dynamic VIPA range cannot overlap with other IP addresses that you have defined on your TCP/IP profile.
VIPARANGE DEFINE 255.255.255.248 192.0.2.248 ZCONTAINER
This definition defines 8 IP addresses (192.0.2.248, 192.0.2.249, 192.0.2.250, 192.0.2.251, 192.0.2.252, 192.0.2.253, 192.0.2.254, 192.0.2.255). Although 8 IP addresses are defined, only IP addresses 192.0.2.249 - 192.0.2.254 are available to be used. The first and last IP addresses in the range are reserved for the subnet's network and broadcast IP addresses. These 6 IP addresses are shared between containers started with Podman or Pods deployed in a Kubernetes cluster.
Defining IP addresses for the IBM z/OS Control Plane Appliance
You need to define the set of dynamic VIPAs to be used to assign to the IBM z/OS Control Plane Appliance (zCPA), after it is started. A different VIPARANGE statement is configured for each zCPA. These dynamic VIPAs cannot overlap with other IP addresses that you have defined in your TCP/IP profile.
VIPARANGE DEFINE 255.255.255.255 192.0.2.100 ZCPA ;; IP address for ZCPA
Defining IP addresses for a High Availability (HA) infrastructure
VIPARANGE DEFINE 255.255.255.255 192.0.2.100 ZCPA ;; IP address for ZCPA1
VIPARANGE DEFINE 255.255.255.255 192.0.2.101 ZCPA ;; IP address for ZCPA2
VIPARANGE DEFINE 255.255.255.255 192.0.2.102 ZCPA ;; IP address for ZCPA3
- A dynamic VIPA, 192.0.2.100, for the first z/OS Control Plane node.
- A dynamic VIPA, 192.0.2.101, for the second z/OS Control Plane node.
- A dynamic VIPA, 192.0.2.102, for the third z/OS Control Plane node.
VIPADYNAMIC
VIPADEFINE 255.255.255.252 192.0.2.128
VIPADISTRIBUTE EXTTARG 192.0.2.128
DESTIP 192.0.2.100 192.0.2.101 192.0.2.102
ENDVIPADYNAMIC
Configuring a SRCIP DESTINATION statement
You need to configure a SRCIP DESTINATION statement for the VIPARANGE ZCONTAINER subnet to ensure that a valid source IP address is used when local z/OS client applications connect to server applications running in a zOSCP environment. The source IP specified on the statement must already be defined on the TCP/IP instance and cannot be part of the VIPARANGE ZCONTAINER subnet.
SRCIP
DESTINATION 192.0.2.248/29 192.0.2.50
ENDSRCIP
automated step
For more information, see Network Support for IBM z/OS Container Platform in the Communications Server documentation.
Security considerations
Use IP filtering to control the flow of network traffic to an IBM z/OS Control Plane Appliance (zCPA). An IP security policy can define filters that deny or allow a packet access to a z/OS Communications Server system where the zCPA is started. A Sysplex Distributor DVIPA is configured to load balance across multiple instances of zCPAs to provide Kubernetes High Availability. For more information, see Sysplex Distributor support for IBM z/OS Control Plane Appliances in z/OS Communications Server: New Function Summary.
Two IPSec rules are required for each zCPA instance, one rule defining the DVIPA configured to the zCPA as the source and another rule for that DVIPA as the destination. Both rules must be defined with ROUTING EITHER, permitting both ROUTED and LOCAL traffic for the zCPA instance. When configuring the IPSec rules through the z/OSMF Network Configuration Assistant, the topology should indicate Filtering only. Be sure to check both 'For local traffic – Host' and 'For routed traffic – Gateway' under the Filtering only option. See z/OS Communications Server: IP Configuration Guide for more information about IP filtering.