Red Hat SummitChapter 2. Ingress Operator in OpenShift Dedicated
The Ingress Operator implements the IngressController API and is the component responsible for enabling external access to OpenShift Dedicated cluster services.
This Operator is installed on OpenShift Dedicated clusters by default.
2.1. OpenShift Dedicated Ingress Operator
When you create your OpenShift Dedicated cluster, pods and services running on the cluster are each allocated their own IP addresses. The IP addresses are accessible to other pods and services running nearby but are not accessible to outside clients.
The Ingress Operator makes it possible for external clients to access your service by deploying and managing one or more HAProxy-based Ingress Controllers to handle routing.
Red Hat Site Reliability Engineers (SRE) manage the Ingress Operator for OpenShift Dedicated clusters. While you cannot alter the settings for the Ingress Operator, you may view the default Ingress Controller configurations, status, and logs as well as the Ingress Operator status.
2.2. View the default Ingress Controller
The Ingress Operator is a core feature of OpenShift Dedicated and is enabled out of the box.
Every new OpenShift Dedicated installation has an ingresscontroller named default. It can be supplemented with additional Ingress Controllers. If the default ingresscontroller is deleted, the Ingress Operator will automatically recreate it within a minute.
Procedure
View the default Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/default
2.3. View Ingress Operator status
You can view and inspect the status of your Ingress Operator.
Procedure
View your Ingress Operator status:
$ oc describe clusteroperators/ingress
2.4. View Ingress Controller logs
You can view your Ingress Controller logs.
Procedure
View your Ingress Controller logs:
$ oc logs --namespace=openshift-ingress-operator deployments/ingress-operator -c <container_name>
2.5. View Ingress Controller status
Your can view the status of a particular Ingress Controller.
Procedure
View the status of an Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/<name>
2.6. Management of default Ingress Controller functions
The following table details the components of the default Ingress Controller managed by the Ingress Operator and whether Red Hat Site Reliability Engineering (SRE) maintains this component on OpenShift Dedicated clusters.
| Ingress component | Managed by | Default configuration? |
|---|---|---|
| Scaling Ingress Controller | SRE | Yes |
| Ingress Operator thread count | SRE | Yes |
| Ingress Controller access logging | SRE | Yes |
| Ingress Controller sharding | SRE | Yes |
| Ingress Controller route admission policy | SRE | Yes |
| Ingress Controller wildcard routes | SRE | Yes |
| Ingress Controller X-Forwarded headers | SRE | Yes |
| Ingress Controller route compression | SRE | Yes |
2.7. Set namespace exclusions for the default ingress when creating a cluster
When you create an OpenShift Dedicated cluster in noninteractive mode, you can pass a namespace label selector so that namespaces matching those labels are excluded from the default application ingress. This allows you to exclude namespaces that host workloads through the default ingress, such as namespaces with sensitive data or internal services.
Prerequisites
-
You installed the
ocmCLI and logged in with credentials that can create clusters in Red Hat OpenShift Cluster Manager. -
You are using the noninteractive mode for
ocm create cluster. For interactive mode, use the prompts for ingress settings when they are available for yourocmversion.
Do not exclude namespaces that host required platform routes (for example, openshift-console or openshift-authentication). Excluding them can break the web console, downloads, or OAuth flows.
Procedure
-
Run
ocm create cluster -hand confirm that yourocmversion lists the--exclude-namespace-selectorflag. Build your
ocm create clustercommand with the required parameters for your cloud provider and subscription model.The following example shows only the ingress-related fragment. Replace the rest of the flags with the values required for your environment.
$ ocm create cluster <cluster_name> \ --provider=<aws_or_gcp> \ <other_required_flags> \ --default-ingress-excluded-namespace-selectors '<key>=<value>,<key2>=<value2>'where:
<cluster_name>- Specifies the cluster name.
--provider=<aws_or_gcp>- Specifies the cloud provider.
<other_required_flags>- Required parameters such as region, version, CCS settings, or billing flags, as described in the cluster creation documentation for your platform.
--default-ingress-excluded-namespace-selectors-
Specifies label selectors; namespaces whose labels match are excluded from the default application ingress, subject to validation by the service. Replace
<key>=<value>with your labels. Do not include spaces around the=sign.
Verification
After the cluster reaches
readystate, confirm ingress settings and inspect the default ingress object for the configured exclusion data.$ ocm list ingress -c <cluster_name>
2.8. Configure excluded namespaces for the default ingress controller
As a cluster administrator, you can use the OpenShift Cluster Manager CLI (ocm) to set which namespaces are excluded from the default application ingress on an existing cluster. Excluded namespaces do not have routes served by that ingress.
Prerequisites
-
You installed the
ocmCLI and logged in with credentials that can modify cluster ingress settings in Red Hat OpenShift Cluster Manager. - You have the cluster name, cluster ID, or external ID of your cluster.
Do not exclude namespaces that host required platform routes (for example, openshift-console or openshift-authentication). Excluding them can break the web console, downloads, or OAuth flows.
Procedure
Optional: Set your cluster name in a variable:
$ export CLUSTER_NAME=<cluster_name>List ingress endpoints for the cluster and note the
idof the default ingress:$ ocm list ingress -c ${CLUSTER_NAME}Optional: To store the default ingress ID in a variable:
$ export INGRESS_ID=$(ocm list ingress -c ${CLUSTER_NAME}| jq -r '.[] | select(.default == true) | .id')Edit the default ingress and set excluded namespaces as a comma-separated list of namespace names:
$ ocm edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} \ --excluded-namespaces 'namespace-one,namespace-two'Substitute
namespace-one,namespace-two, and any additional entries with the metadata names of the namespaces to exclude.
Verification
After the command completes, verify that the updated ingress object reflects your excluded namespace settings.
$ ocm list ingress -c <cluster_name>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}