Red Hat SummitChapter 7. Configuring a gateway
As a cluster administrator you can configure the gatewayConfig object to manage how external traffic leaves the cluster. You do so by setting the routingViaHost parameter to one of the following values:
-
truemeans that egress traffic routes through a specific local gateway on the node that hosts the pod. Egress traffic routes through the host and this traffic applies to the routing table of the host. -
falsemeans that egress traffic routes through a dedicated node but a group of nodes share the same gateway. Egress traffic does not route through the host. The Open vSwitch (OVS) outputs traffic directly to the node IP interface.
7.1. Configuring egress routing policies
As a cluster administrator you can configure egress routing policies by using the gatewayConfig specification in the Cluster Network Operator (CNO). You can use the following procedure to set the routingViaHost field to true or false.
You can follow the optional step in the procedure to enable IP forwarding alongside the routingViaHost=true configuration if you need the host network of the node to act as a router for traffic not related to OVN-Kubernetes. For example, possible use cases for combining local gateway with IP forwarding include:
- Configuring all pod egress traffic to be forwarded via the node’s IP
- Integrating OVN-Kubernetes CNI with external network address translation (NAT) devices
- Configuring OVN-Kubernetes CNI to use a kernel routing table
Prerequisites
- You are logged in as a user with admin privileges.
Procedure
Back up the existing network configuration by running the following command:
$ oc get network.operator cluster -o yaml > network-config-backup.yamlSet the
routingViaHostparameter totrueby entering the following command. Egress traffic then gets routed through a specific gateway according to the routes that you configured on the node.$ oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"routingViaHost": true}}}}}'Verify the correct application of the
routingViaHost=trueconfiguration by running the following command:$ oc get networks.operator.openshift.io cluster -o yaml | grep -A 5 "gatewayConfig"Example output
apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster # ... gatewayConfig: ipv4: {} ipv6: {} routingViaHost: true1 genevePort: 6081 ipsecConfig: # ...- 1
- A value of
truemeans that egress traffic gets routed through a specific local gateway on the node that hosts the pod. A value offalsefor the parameter means that a group of nodes share a single gateway so traffic does not get routed through a single host.
Optional: Enable IP forwarding globally by running the following command:
$ oc patch network.operator cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"ipForwarding": "Global"}}}}}'Verify that the
ipForwardingspec has been set toGlobalby running the following command:$ oc get networks.operator.openshift.io cluster -o yaml | grep -A 5 "gatewayConfig"Example output
apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster # ... gatewayConfig: ipForwarding: Global ipv4: {} ipv6: {} routingViaHost: true genevePort: 6081 # ...
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}