For OpenShift interviews, OVN-Kubernetes is one of the hottest topics because it replaced the legacy OpenShift SDN and is now the default networking stack in modern OpenShift Container Platform deployments.

What is OVN-Kubernetes?

OVN-Kubernetes combines:

• OVN (Open Virtual Network) → Control Plane
• Open vSwitch (OVS) → Data Plane

Think of it as:

OVN = Brain
OVS = Packet Forwarder

Architecture

                Kubernetes API
                       |
                OVN Controller
                       |
         +-------------+-------------+
         |                           |
   OVN Northbound DB          OVN Southbound DB
         |                           |
         +-------------+-------------+
                       |
                ovnkube-master
                       |
       ---------------------------------
       |               |               |
  Worker-1        Worker-2       Worker-3
       |               |               |
  ovnkube-node    ovnkube-node   ovnkube-node
       |               |               |
      OVS             OVS             OVS
       |               |               |
      Pods            Pods            Pods

Key OVN Components

ovnkube-master

Control plane component.

Responsibilities:

• Watches Kubernetes API
• Creates logical switches
• Creates logical routers
• Programs network policies

Check:

oc get pods -n openshift-ovn-kubernetes

ovnkube-node

Runs on every node.

Responsibilities:

• Creates pod interfaces
• Programs OVS flows
• Connects pods to OVN

Open vSwitch (OVS)

Actual packet forwarding.

On node:

oc debug node/<node>
chroot /host
ovs-vsctl show

Northbound Database

Stores desired state.

Example:

Pod A should talk to Pod B

Southbound Database

Stores actual implementation.

Example:

Flow entries
Routes
Tunnel endpoints

Important Interview Concept

Pod-to-Pod Communication

Pod A
  |
OVS
  |
Geneve Tunnel
  |
OVS
  |
Pod B

OVN uses:

GENEVE

not VXLAN.

How to Check OVN Health

Network Operator

oc get co network

Healthy:

Available=True
Degraded=False

OVN Pods

oc get pods -n openshift-ovn-kubernetes

Expected:

ovnkube-master
ovnkube-node

Logs

Master:

oc logs -n openshift-ovn-kubernetes <ovnkube-master>

Node:

oc logs -n openshift-ovn-kubernetes <ovnkube-node>

Common OVN Troubleshooting

Scenario 1

Pod cannot reach another pod

Test:

oc exec -it <pod> -- ping <pod-ip>

Check:

oc get networkpolicy -A

Most common cause:

• NetworkPolicy

Scenario 2

Service not working

Check:

oc get svc
oc get endpoints

If endpoints empty:

Wrong selector

Scenario 3

Only one node affected

Check:

oc get pods -A -o wide

Find affected node.

Then:

oc logs -n openshift-ovn-kubernetes <ovnkube-node>

Check OVS:

ovs-vsctl show

Scenario 4

DNS failure

Check:

oc get pods -n openshift-dns

Test:

nslookup kubernetes.default

OVN Commands Every Interview Candidate Should Know

Check OVN pods

oc get pods -n openshift-ovn-kubernetes

Check network operator

oc get co network

Node debug

oc debug node/<node>
chroot /host

Show OVS

ovs-vsctl show

Show OVS interfaces

ovs-vsctl list interface

Check routes

ip route

Check network policies

oc get networkpolicy -A

Gather network logs

oc adm must-gather -- /usr/bin/gather_network_logs

Very common interview answer.

OVN Network Policies

Example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend

Meaning:

Only frontend can reach backend

OVN Egress Features

OpenShift-specific features:

EgressIP

Force namespace traffic to use:

Specific Source IP

Useful for:

Bank allowlists
Firewall rules

Check:

oc get egressip

EgressFirewall

Restrict outbound traffic.

Check:

oc get egressfirewall -A

OVN vs OpenShift SDN

Common Interview Question

“A pod cannot reach another pod. How do you troubleshoot?”

Answer:

1. Verify pod health
2. Test direct pod-to-pod connectivity
3. Check NetworkPolicies
4. Check OVN pods
5. Review ovnkube-node logs
6. Verify OVS configuration
7. Check node routes and MTU
8. Run network must-gather if required

2-Minute Interview Answer

OVN-Kubernetes is OpenShift’s default networking stack. It uses OVN as the control plane and Open vSwitch as the data plane. OVN manages logical switches, routers, services, and network policies, while OVS handles packet forwarding on each node. Traffic between nodes is encapsulated using Geneve tunnels. For troubleshooting, I typically verify the network operator status, check ovnkube-master and ovnkube-node pods, review logs, inspect OVS using ovs-vsctl show, validate network policies, and use must-gather for deeper analysis. I also verify service endpoints, DNS, node routing, MTU settings, and egress configurations such as EgressIP and EgressFirewall.