Requirements for IBM z/OS Container Platform IP addresses

Edit online

z/OS® Communications Server provides network communications and network-related services for IBM® z/OS Container Platform (zOSCP). The IP addresses for zOSCP are represented as new types of VIPARANGE dynamic VIPAs (DVIPA). A ZCONTAINER DVIPA range is a subnet of DVIPAs that are created when assigned to containers and Pods as they are started. A ZCPA DVIPA is a DVIPA that is configured to an IBM z/OS Control Plane Appliance (zCPA) instance and is created when the zCPA is started.

user icon z/OS network administrator

Defining IP addresses for a container

You need to define the range of dynamic VIPAs to be used when starting a container by using Podman for IBM z/OS (Podman) or when deploying a Pod within a Kubernetes cluster. This dynamic VIPA range cannot overlap with other IP addresses that you have defined on your TCP/IP profile.

To create this range of dynamic VIPAs, you might use the following VIPARANGE statement:
VIPARANGE DEFINE 255.255.255.248 192.0.2.248 ZCONTAINER

This definition defines 8 IP addresses (192.0.2.248, 192.0.2.249, 192.0.2.250, 192.0.2.251, 192.0.2.252, 192.0.2.253, 192.0.2.254, 192.0.2.255). Although 8 IP addresses are defined, only IP addresses 192.0.2.249 - 192.0.2.254 are available to be used. The first and last IP addresses in the range are reserved for the subnet's network and broadcast IP addresses. These 6 IP addresses are shared between containers started with Podman or Pods deployed in a Kubernetes cluster.

Defining IP addresses for the IBM z/OS Control Plane Appliance

You need to define the set of dynamic VIPAs to be used to assign to the IBM z/OS Control Plane Appliance (zCPA), after it is started. A different VIPARANGE statement is configured for each zCPA. These dynamic VIPAs cannot overlap with other IP addresses that you have defined in your TCP/IP profile.

To create a dynamic VIPA for a zCPA, you might use the following VIPARANGE statement:
VIPARANGE DEFINE 255.255.255.255 192.0.2.100 ZCPA  ;; IP address for ZCPA

Defining IP addresses for a High Availability (HA) infrastructure

For High Availability (HA), it is recommended that you use three z/OS Control Plane nodes. For this configuration, you would need to create three dynamic VIPAs for the zCPAs. For example:
VIPARANGE DEFINE 255.255.255.255 192.0.2.100 ZCPA ;; IP address for ZCPA1 
VIPARANGE DEFINE 255.255.255.255 192.0.2.101 ZCPA ;; IP address for ZCPA2 
VIPARANGE DEFINE 255.255.255.255 192.0.2.102 ZCPA ;; IP address for ZCPA3
For this example, you would define:
  • A dynamic VIPA, 192.0.2.100, for the first z/OS Control Plane node.
  • A dynamic VIPA, 192.0.2.101, for the second z/OS Control Plane node.
  • A dynamic VIPA, 192.0.2.102, for the third z/OS Control Plane node.
To be able to load balance requests between the three control plane nodes, you would need to create a distributable dynamic VIPA with the EXTTARG keyword, with the three dynamic VIPAs configured for the zCPAs as targets. For example:
VIPADYNAMIC 
VIPADEFINE 255.255.255.252 192.0.2.128 
VIPADISTRIBUTE EXTTARG 192.0.2.128 
  DESTIP 192.0.2.100 192.0.2.101 192.0.2.102 
ENDVIPADYNAMIC

Defining multiple DVIPA (Dynamic Virtual IP Addressing) address ranges for containers

You may need to define multiple DVIPA (Dynamic Virtual IP Addressing) address ranges to be used for containers running in Podman for IBM z/OS (Podman) or for Pods running within a Kubernetes cluster. These dynamic VIPA ranges cannot overlap with other IP addresses that you have defined on your TCP/IP profile.

The VIPARANGE statements in the profile are processed in order, and a list of possible ZCONTAINER IP addresses are built using this order. For example, if the following VIPARANGE statements are configured: 

VIPARANGE DEFINE 255.255.255.248 192.0.2.216 ZCONTAINER 
VIPARANGE DEFINE 255.255.255.248 192.0.2.232 ZCONTAINER 
VIPARANGE DEFINE 255.255.255.255 192.0.2.225 ZCONTAINER
The ordered list of available IP addresses for containers/Pods would be:
  • 192.0.2.217 to 192.0.2.222
  • 192.0.2.233 to 192.0.2.238
  • 192.0.2.225

You may also need to define multiple DVIPA (Dynamic Virtual IP Addressing) address ranges so that some DVIPA ranges are used exclusively for containers running in Podman while other DVIPA ranges are used exclusively for Pods running within a Kubernetes cluster.

To accomplish this, use the SAF keyword on the VIPARANGE statement and permit users to these SAF resources. For example, if the following VIPARANGE statements are configured:
VIPARANGE DEFINE 255.255.255.248 192.0.2.216 SAF PODMAN ZCONTAINER 
VIPARANGE DEFINE 255.255.255.248 192.0.2.232 SAF K8S ZCONTAINER 
VIPARANGE DEFINE 255.255.255.255 192.0.2.225 SAF K8S ZCONTAINER

Two SAF resources are defined, PODMAN and K8S. Users running containers via Podman would be permitted to the PODMAN resource, EZB.MODDVIPA.sysname.tcpname.PODMAN. The users assigned to Pods in a Kubernetes cluster would be permitted to the K8S resource, EZB.MODDVIPA.sysname.tcpname.K8S.

The ordered list of available IP addresses for containers started via Podman would be:

  • 192.0.2.217 to 192.0.2.222

The ordered list of available IP addresses for Pods in a Kubernetes cluster would be:

  • 192.0.2.233 to 192.0.2.238

  • 192.0.2.225

For more information, see Network Support for IBM z/OS Container Platform in the Communications Server documentation.

Configuring a SRCIP DESTINATION statement

You need to configure a SRCIP DESTINATION statement for the VIPARANGE ZCONTAINER subnet to ensure that a valid source IP address is used when local z/OS client applications connect to server applications running in a zOSCP environment. The source IP specified on the statement must already be defined on the TCP/IP instance and cannot be part of the VIPARANGE ZCONTAINER subnet.

For example, if VIPARANGE 255.255.255.248 192.0.2.248 ZCONTAINER is defined and 192.0.2.50 is an existing static VIPA, the following would allow connections from the local system to an application running within a container:
SRCIP 
DESTINATION 192.0.2.248/29 192.0.2.50 
ENDSRCIP

automated step

For more information, see Network Support for IBM z/OS Container Platform in the Communications Server documentation.

Security considerations

Recommendation:

Use IP filtering to control the flow of network traffic to an IBM z/OS Control Plane Appliance (zCPA). An IP security policy can define filters that deny or allow a packet access to a z/OS Communications Server system where the zCPA is started. A Sysplex Distributor DVIPA is configured to load balance across multiple instances of zCPAs to provide Kubernetes High Availability. For more information, see Sysplex Distributor support for IBM z/OS Control Plane AppliancesLink leaves IBM Docs in z/OS Communications Server: New Function SummaryLink leaves IBM Docs.

Two IPSec rules are required for each zCPA instance, one rule defining the DVIPA configured to the zCPA as the source and another rule for that DVIPA as the destination. Both rules must be defined with ROUTING EITHER, permitting both ROUTED and LOCAL traffic for the zCPA instance. When configuring the IPSec rules through the z/OSMF Network Configuration Assistant, the topology should indicate Filtering only. Be sure to check both For local traffic – Host and For routed traffic – Gateway under the Filtering only option. See z/OS Communications Server: IP Configuration GuideLink leaves IBM Docs for more information about IP filtering.