FRRouting (FRR) is a free, open source internet routing protocol suite for Linux and UNIX platforms.
FRR-K8s is a Kubernetes based DaemonSet that exposes a subset of the FRR API in a Kubernetes-compliant manner.
As a cluster administrator, you can use the FRRConfiguration custom resource (CR) to access some of the FRR services not provided by MetalLB, for example, receiving routes.
MetalLB generates the FRR-K8s configuration corresponding to the MetalLB configuration applied.
You can create multiple FRRConfiguration CRs to use FRR services in MetalLB.
MetalLB generates an FRRConfiguration object which FRR-K8s merges with all other configurations that all users have created.
For example, you can configure FRR-K8s to receive all of the prefixes advertised by a given neighbor.
The following example configures FRR-K8s to receive all of the prefixes advertised by a BGPPeer with host 172.18.0.5:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
 name: test
 namespace: metallb-system
spec:
 bgp:
   routers:
   - asn: 64512
     neighbors:
     - address: 172.18.0.5
       asn: 64512
       toReceive:
        allowed:
            mode: allYou can also configure FRR-K8s to always block a set of prefixes, regardless of the configuration applied.
This can be useful to avoid routes towards the pods or ClusterIPs CIDRs that might result in cluster malfunctions.
The following example blocks the set of prefixes 192.168.1.0/24:
apiVersion: metallb.io/v1beta1
kind: MetalLB
metadata:
  name: metallb
  namespace: metallb-system
spec:
  bgpBackend: frr-k8s
  frrk8sConfig:
    alwaysBlock:
    - 192.168.1.0/24You can set FRR-K8s to block the Cluster Network CIDR and Service Network CIDR.
You can view the values for these CIDR address specifications by running the following command:
$ oc describe network.config/clusterThe following section provides reference examples that use the FRRConfiguration custom resource (CR).
You can use the routers field to configure multiple routers, one for each Virtual Routing and Forwarding (VRF) resource.
For each router, you must define the Autonomous System Number (ASN).
You can also define a list of Border Gateway Protocol (BGP) neighbors to connect to, as in the following example:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
  name: test
  namespace: frr-k8s-system
spec:
  bgp:
    routers:
    - asn: 64512
      neighbors:
      - address: 172.30.0.3
        asn: 4200000000
        ebgpMultiHop: true
        port: 180
      - address: 172.18.0.6
        asn: 4200000000
        port: 179By default, FRR-K8s does not advertise the prefixes configured as part of a router configuration.
In order to advertise them,  you use the toAdvertise field.
You can advertise a subset of the prefixes, as in the following example:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
  name: test
  namespace: frr-k8s-system
spec:
  bgp:
    routers:
    - asn: 64512
      neighbors:
      - address: 172.30.0.3
        asn: 4200000000
        ebgpMultiHop: true
        port: 180
        toAdvertise:
          allowed:
            prefixes: (1)
            - 192.168.2.0/24
      prefixes:
        - 192.168.2.0/24
        - 192.169.2.0/24| 1 | Advertises a subset of prefixes. | 
The following example shows you how to advertise all of the prefixes:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
  name: test
  namespace: frr-k8s-system
spec:
  bgp:
    routers:
    - asn: 64512
      neighbors:
      - address: 172.30.0.3
        asn: 4200000000
        ebgpMultiHop: true
        port: 180
        toAdvertise:
          allowed:
            mode: all (1)
      prefixes:
        - 192.168.2.0/24
        - 192.169.2.0/24| 1 | Advertises all prefixes. | 
By default, FRR-K8s does not process any prefixes advertised by a neighbor.
You can use the toReceive field  to process such addresses.
You can configure for a subset of the prefixes, as in this example:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
  name: test
  namespace: frr-k8s-system
spec:
  bgp:
    routers:
    - asn: 64512
      neighbors:
      - address: 172.18.0.5
          asn: 64512
          port: 179
          toReceive:
            allowed:
              prefixes:
              - prefix: 192.168.1.0/24
              - prefix: 192.169.2.0/24
                ge: 25 (1)
                le: 28 (1)| 1 | The prefix is applied if the prefix length is less than or equal to the leprefix length and greater than or equal to thegeprefix length. | 
The following example configures FRR to handle all the prefixes announced:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
  name: test
  namespace: frr-k8s-system
spec:
  bgp:
    routers:
    - asn: 64512
      neighbors:
      - address: 172.18.0.5
          asn: 64512
          port: 179
          toReceive:
            allowed:
              mode: allYou can use the bgp field to define various BFD profiles and associate them with a neighbor.
In the following example, BFD backs up the BGP session and FRR can detect link failures:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
  name: test
  namespace: frr-k8s-system
spec:
  bgp:
    routers:
    - asn: 64512
      neighbors:
      - address: 172.30.0.3
        asn: 64512
        port: 180
        bfdProfile: defaultprofile
    bfdProfiles:
      - name: defaultprofileBy default, FRR-K8s applies the configuration to all nodes where the daemon is running.
You can use the nodeSelector field to specify the nodes to which you want to apply the configuration. For example:
apiVersion: frrk8s.metallb.io/v1beta1
kind: FRRConfiguration
metadata:
  name: test
  namespace: frr-k8s-system
spec:
  bgp:
    routers:
    - asn: 64512
  nodeSelector:
    labelSelector:
    foo: "bar"The fields for the FRRConfiguration custom resource are described in the following table:
| Field | Type | Description | 
|---|---|---|
| 
 | 
 | Specifies the routers that FRR is to configure (one per VRF). | 
| 
 | 
 | The Autonomous System Number (ASN) to use for the local end of the session. | 
| 
 | 
 | Specifies the ID of the  | 
| 
 | 
 | Specifies the host vrf used to establish sessions from this router. | 
| 
 | 
 | Specifies the neighbors to establish BGP sessions with. | 
| 
 | 
 | Specifies the ASN to use for the remote end of the session. | 
| If you use this field, you cannot specify a value in the  | 
 | 
 | 
| Detects the ASN to use for the remote end of the session without explicitly setting it.
Specify  | 
 | 
 | 
| Specifies the IP address to establish the session with. | 
 | 
 | 
| Specifies the port to dial when establishing the session. Defaults to 179. | 
 | 
 | 
| Specifies the password to use for establishing the BGP session.
 | 
 | 
 | 
| Specifies the name of the authentication secret for the neighbor.
The secret must be of type "kubernetes.io/basic-auth", and in the same namespace as the FRR-K8s daemon.
The key "password" stores the password in the secret.
 | 
 | 
 | 
| Specifies the requested BGP hold time, per RFC4271. Defaults to 180s. | 
 | 
 | 
| Specifies the requested BGP keepalive time, per RFC4271.
Defaults to  | 
 | 
 | 
| Specifies how long BGP waits between connection attempts to a neighbor. | 
 | 
 | 
| Indicates if the BGPPeer is multi-hops away. | 
 | 
 | 
| Specifies the name of the BFD Profile to use for the BFD session associated with the BGP session. If not set, the BFD session is not set up. | 
 | 
 | 
| Represents the list of prefixes to advertise to a neighbor, and the associated properties. | 
 | 
 | 
| Specifies the list of prefixes to advertise to a neighbor. This list must match the prefixes that you define in the router. | 
 | 
 | 
| Specifies the mode to use when handling the prefixes.
You can set to  | 
 | 
 | 
| Specifies the prefixes associated with an advertised local preference. You must specify the prefixes associated with a local preference in the prefixes allowed to be advertised. | 
 | 
 | 
| Specifies the prefixes associated with the local preference. | 
 | 
 | 
| Specifies the local preference associated with the prefixes. | 
 | 
 | 
| Specifies the prefixes associated with an advertised BGP community. You must include the prefixes associated with a local preference in the list of prefixes that you want to advertise. | 
 | 
 | 
| Specifies the prefixes associated with the community. | 
 | 
 | 
| Specifies the community associated with the prefixes. | 
 | 
 | 
| Specifies the prefixes to receive from a neighbor. | 
 | 
 | 
| Specifies the information that you want to receive from a neighbor. | 
 | 
 | 
| Specifies the prefixes allowed from a neighbor. | 
 | 
 | 
| Specifies the mode to use when handling the prefixes.
When set to  | 
 | 
 | 
| Disables MP BGP to prevent it from separating IPv4 and IPv6 route exchanges into distinct BGP sessions. | 
 | 
 | 
| Specifies all prefixes to advertise from this router instance. | 
 | 
 | 
| Specifies the list of bfd profiles to use when configuring the neighbors. | 
 | 
 | 
| The name of the BFD Profile to be referenced in other parts of the configuration. | 
 | 
 | 
| Specifies the minimum interval at which this system can receive control packets, in milliseconds.
Defaults to  | 
 | 
 | 
| Specifies the minimum transmission interval, excluding jitter, that this system wants to use to send BFD control packets, in milliseconds.
Defaults to  | 
 | 
 | 
| Configures the detection multiplier to determine packet loss. To determine the connection loss-detection timer, multiply the remote transmission interval by this value. | 
 | 
 | 
| Configures the minimal echo receive transmission-interval that this system can handle, in milliseconds.
Defaults to  | 
 | 
 | 
| Enables or disables the echo transmission mode. This mode is disabled by default, and not supported on multihop setups. | 
 | 
 | 
| Mark session as passive. A passive session does not attempt to start the connection and waits for control packets from peers before it begins replying. | 
 | 
 | 
| For multihop sessions only. Configures the minimum expected TTL for an incoming BFD control packet. | 
 | 
 | 
| Limits the nodes that attempt to apply this configuration. If specified, only those nodes whose labels match the specified selectors attempt to apply the configuration. If it is not specified, all nodes attempt to apply this configuration. | 
 | 
 | 
In a case where multiple users add configurations that select the same node, FRR-K8s merges the configurations.
Each configuration can only extend others.
This means that it is possible to add a new neighbor to a router, or to advertise an additional prefix to a neighbor, but not possible to remove a component added by another configuration.
Certain configurations can cause conflicts, leading to errors, for example:
different ASN for the same router (in the same VRF)
different ASN for the same neighbor (with the same IP / port)
multiple BFD profiles with the same name but different values
When the daemon finds an invalid configuration for a node, it reports the configuration as invalid and reverts to the previous valid FRR configuration.
When merging, it is possible to do the following actions:
Extend the set of IPs that you want to advertise to a neighbor.
Add an extra neighbor with its set of IPs.
Extend the set of IPs to which you want to associate a community.
Allow incoming routes for a neighbor.
Each configuration must be self contained. This means, for example, that it is not possible to allow prefixes that are not defined in the router section by leveraging prefixes coming from another configuration.
If the configurations to be applied are compatible, merging works as follows:
FRR-K8s combines all the routers.
FRR-K8s merges all prefixes and neighbors for each router.
FRR-K8s merges all filters for each neighbor.
| A less restrictive filter has precedence over a stricter one. For example, a filter accepting some prefixes has precedence over a filter not accepting any, and a filter accepting all prefixes has precedence over one that accepts some. |