Requirements for IBM z/OS Container Platform IP addresses

Edit online

z/OS® Communications Server provides network communications and network-related services for IBM® z/OS Container Platform (zOSCP). The IP addresses for zOSCP are represented as new types of VIPARANGE dynamic VIPAs (DVIPA). A ZCONTAINER DVIPA range is a subnet of DVIPAs that are created when assigned to containers and Pods as they are started. A ZCPA DVIPA is a DVIPA that is configured to an IBM z/OS Control Plane Appliance (zCPA) instance and is created when the zCPA is started.

user icon z/OS network administrator

Defining IP addresses for a container

You need to define the range of dynamic VIPAs to be used when starting a container by using Podman for IBM z/OS (Podman) or when deploying a Pod within a Kubernetes cluster. This dynamic VIPA range cannot overlap with other IP addresses that you have defined on your TCP/IP profile.

To create this range of dynamic VIPAs, you might use the following VIPARANGE statement:
VIPARANGE DEFINE 255.255.255.248 192.0.2.248 ZCONTAINER

This definition defines 8 IP addresses (192.0.2.248, 192.0.2.249, 192.0.2.250, 192.0.2.251, 192.0.2.252, 192.0.2.253, 192.0.2.254, 192.0.2.255). Although 8 IP addresses are defined, only IP addresses 192.0.2.249 - 192.0.2.254 are available to be used. The first and last IP addresses in the range are reserved for the subnet's network and broadcast IP addresses. These 6 IP addresses are shared between containers started with Podman or Pods deployed in a Kubernetes cluster.

Defining IP addresses for the IBM z/OS Control Plane Appliance

You need to define the set of dynamic VIPAs to be used to assign to the IBM z/OS Control Plane Appliance (zCPA), after it is started. A different VIPARANGE statement is configured for each zCPA. These dynamic VIPAs cannot overlap with other IP addresses that you have defined in your TCP/IP profile.

To create a dynamic VIPA for a zCPA, you might use the following VIPARANGE statement:
VIPARANGE DEFINE 255.255.255.255 192.0.2.100 ZCPA  ;; IP address for ZCPA

Defining IP addresses for a High Availability (HA) infrastructure

For High Availability (HA), it is recommended that you use three z/OS Control Plane nodes. For this configuration, you would need to create three dynamic VIPAs for the zCPAs. For example:
VIPARANGE DEFINE 255.255.255.255 192.0.2.100 ZCPA ;; IP address for ZCPA1 
VIPARANGE DEFINE 255.255.255.255 192.0.2.101 ZCPA ;; IP address for ZCPA2 
VIPARANGE DEFINE 255.255.255.255 192.0.2.102 ZCPA ;; IP address for ZCPA3
For this example, you would define:
  • A dynamic VIPA, 192.0.2.100, for the first z/OS Control Plane node.
  • A dynamic VIPA, 192.0.2.101, for the second z/OS Control Plane node.
  • A dynamic VIPA, 192.0.2.102, for the third z/OS Control Plane node.
To be able to load balance requests between the three control plane nodes, you would need to create a distributable dynamic VIPA with the EXTTARG keyword, with the three dynamic VIPAs configured for the zCPAs as targets. For example:
VIPADYNAMIC 
VIPADEFINE 255.255.255.252 192.0.2.128 
VIPADISTRIBUTE EXTTARG 192.0.2.128 
  DESTIP 192.0.2.100 192.0.2.101 192.0.2.102 
ENDVIPADYNAMIC

Configuring a SRCIP DESTINATION statement

You need to configure a SRCIP DESTINATION statement for the VIPARANGE ZCONTAINER subnet to ensure that a valid source IP address is used when local z/OS client applications connect to server applications running in a zOSCP environment. The source IP specified on the statement must already be defined on the TCP/IP instance and cannot be part of the VIPARANGE ZCONTAINER subnet.

For example, if VIPARANGE 255.255.255.248 192.0.2.248 ZCONTAINER is defined and 192.0.2.50 is an existing static VIPA, the following would allow connections from the local system to an application running within a container:
SRCIP 
DESTINATION 192.0.2.248/29 192.0.2.50 
ENDSRCIP

automated step

For more information, see Network Support for IBM z/OS Container Platform in the Communications Server documentation.

Security considerations

Recommendation:

Use IP filtering to control the flow of network traffic to an IBM z/OS Control Plane Appliance (zCPA). An IP security policy can define filters that deny or allow a packet access to a z/OS Communications Server system where the zCPA is started. A Sysplex Distributor DVIPA is configured to load balance across multiple instances of zCPAs to provide Kubernetes High Availability. For more information, see z/OS Communications Server: Sysplex Distributor support for IBM z/OS Control Plane Appliances.

Two IPSec rules are required for each zCPA instance, one rule defining the DVIPA configured to the zCPA as the source and another rule for that DVIPA as the destination. Both rules must be defined with ROUTING EITHER, permitting both ROUTED and LOCAL traffic for the zCPA instance. When configuring the IPSec rules through the z/OSMF Network Configuration Assistant, the topology should indicate Filtering only. Be sure to check both 'For local traffic – Host' and 'For routed traffic – Gateway' under the Filtering only option. See z/OS Communications Server: IP Configuration GuideLink leaves IBM Docs for more information about IP filtering.