Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 2. Ingress Operator in OpenShift Dedicated
The Ingress Operator implements the IngressController API and is the component responsible for enabling external access to OpenShift Dedicated cluster services.
This Operator is installed on OpenShift Dedicated clusters by default.
2.1. OpenShift Dedicated Ingress Operator
When you create your OpenShift Dedicated cluster, pods and services running on the cluster are each allocated their own IP addresses. The IP addresses are accessible to other pods and services running nearby but are not accessible to outside clients.
The Ingress Operator makes it possible for external clients to access your service by deploying and managing one or more HAProxy-based Ingress Controllers to handle routing.
Red Hat Site Reliability Engineers (SRE) manage the Ingress Operator for OpenShift Dedicated clusters. While you cannot alter the settings for the Ingress Operator, you may view the default Ingress Controller configurations, status, and logs as well as the Ingress Operator status.
2.2. View the default Ingress Controller
The Ingress Operator is a core feature of OpenShift Dedicated and is enabled out of the box.
Every new OpenShift Dedicated installation has an ingresscontroller named default. It can be supplemented with additional Ingress Controllers. If the default ingresscontroller is deleted, the Ingress Operator will automatically recreate it within a minute.
Procedure
View the default Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/default
2.3. View Ingress Operator status
You can view and inspect the status of your Ingress Operator.
Procedure
View your Ingress Operator status:
$ oc describe clusteroperators/ingress
2.4. View Ingress Controller logs
You can view your Ingress Controller logs.
Procedure
View your Ingress Controller logs:
$ oc logs --namespace=openshift-ingress-operator deployments/ingress-operator -c <container_name>
2.5. View Ingress Controller status
Your can view the status of a particular Ingress Controller.
Procedure
View the status of an Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/<name>
2.6. Management of default Ingress Controller functions
The following table details the components of the default Ingress Controller managed by the Ingress Operator and whether Red Hat Site Reliability Engineering (SRE) maintains this component on OpenShift Dedicated clusters.
| Ingress component | Managed by | Default configuration? |
|---|---|---|
| Scaling Ingress Controller | SRE | Yes |
| Ingress Operator thread count | SRE | Yes |
| Ingress Controller access logging | SRE | Yes |
| Ingress Controller sharding | SRE | Yes |
| Ingress Controller route admission policy | SRE | Yes |
| Ingress Controller wildcard routes | SRE | Yes |
| Ingress Controller X-Forwarded headers | SRE | Yes |
| Ingress Controller route compression | SRE | Yes |
2.7. Set namespace exclusions for the default ingress when creating a cluster
When you create an OpenShift Dedicated cluster, you can specify a namespace label selector so that namespaces matching those labels are excluded from the default application ingress. This allows you to exclude namespaces that host workloads through the default ingress, such as namespaces with sensitive data or internal services.
Do not exclude namespaces that host required platform routes (for example, openshift-console or openshift-authentication). Excluding them can break the web console, downloads, or OAuth flows.
2.7.1. Set namespace exclusions for the default ingress when creating a cluster in the CLI
Use the ocm CLI to pass namespace exclusions for the default ingress while creating your cluster.
Prerequisites
-
You installed the
ocmCLI and logged in with credentials that can create clusters in Red Hat OpenShift Cluster Manager. -
You are using the noninteractive mode for
ocm create cluster. For interactive mode, use the prompts for ingress settings when they are available for yourocmversion.
Procedure
-
Run
ocm create cluster -hand confirm that yourocmversion lists the--exclude-namespace-selectorflag. Build your
ocm create clustercommand with the required parameters for your cloud provider and subscription model.The following example shows only the ingress-related fragment. Replace the rest of the flags with the values required for your environment.
$ ocm create cluster <cluster_name> \ --provider=<aws_or_gcp> \ <other_required_flags> \ --default-ingress-excluded-namespace-selectors '<key>=<value>,<key2>=<value2>'where:
<cluster_name>- Specifies the cluster name.
--provider=<aws_or_gcp>- Specifies the cloud provider.
<other_required_flags>- Required parameters such as region, version, Customer Cloud Subscription (CCS) settings, or billing flags, as described in the cluster creation documentation for your platform.
--default-ingress-excluded-namespace-selectors-
Specifies label selectors that exclude matching namespaces from the default application ingress. The service validates these exclusions. Replace
<key>=<value>with your labels. Do not include spaces around the=sign.
Verification
After the cluster reaches
readystate, confirm ingress settings and inspect the default ingress object for the configured exclusion data.$ ocm list ingress -c <cluster_name>
2.7.2. Changing namespace exclusions for the default ingress on your cluster in the CLI
Use the ocm CLI to pass namespace exclusions for the default ingress to your OpenShift Dedicated cluster.
Prerequisites
-
You installed the
ocmCLI and logged in with credentials that can modify clusters in Red Hat OpenShift Cluster Manager. - You have configured a OpenShift Dedicated cluster.
Procedure
Run the following command to pass the namespace exclusions to your cluster:
$ ocm edit ingress <ingress_name> -c <cluster_id> \ --excluded-namespace-selectors "key1=val1,key2=val2,key1=val3,foo=bar" \ <cluster_name>where:
<ingress_name>- Specifies your ingress name.
<cluster_id>- Specifies your cluster ID.
--excluded-namespace-selectors "key1=val1,key2=val2,key1=val3,foo=bar"-
Specifies label selectors that exclude matching namespaces from the default application ingress. The service validates these exclusions. Replace
<key>=<value>with your labels. Do not include spaces around the=sign. <cluster_name>- Specifies the cluster name.
2.7.3. Set namespace exclusions for the default ingress when creating a cluster in Red Hat OpenShift Cluster Manager
Specify a namespace label selector so that namespaces matching those labels are excluded from the default application ingress when creating an OpenShift Dedicated cluster in OpenShift Cluster Manager.
Procedure
On the Networking screen, select Custom Settings under Application ingress settings.
NoteAll of the custom settings are optional.
-
In Route selector, enter a comma-separated list of
key=valuepairs to limit which routes this ingress exposes. Leave the field empty if all routes should remain eligible based on your other choices. - In Excluded namespaces, enter a comma-separated list of namespace names whose routes must not use this ingress.
In Exclude namespace selectors, specify one or more label selectors. For each selector, provide a label key and a comma-separated list of label values. The default Ingress Controller does not apply to namespaces whose labels satisfy any of the configured selectors.
ImportantDo not include spaces around commas, for example, use
finance,HR,legal, and notfinance, HR, legal.- Set Namespace ownership policy for route admission when namespaces share hostnames, for example, select Strict for restrictive admission.
Set Wildcard policy to allow or disallow wildcard patterns in route hostnames, for example, select Disallowed to block wildcard host routes.
For more information about custom application ingress settings, click the information icon provided for each setting.
2.7.4. Change namespace exclusions for the ingress on a cluster in Red Hat OpenShift Cluster Manager
Specify a namespace label selector so that namespaces matching those labels are excluded from the default application ingress on your configured OpenShift Dedicated cluster in OpenShift Cluster Manager.
Procedure
- From OpenShift Cluster Manager, navigate to the Cluster List page and select the cluster that you want to set namespace exclusions for.
- On the selected cluster, select the Networking tab.
Select Edit application ingress.
NoteAll of the custom settings are optional.
-
In Route selector, enter a comma-separated list of
key=valuepairs to limit which routes this ingress exposes. Leave the field empty if all routes should remain eligible based on your other choices. - In Excluded namespaces, enter a comma-separated list of namespace names whose routes must not use this ingress.
In Exclude namespace selectors, specify one or more label selectors. For each selector, provide a label key and a comma-separated list of label values. The default Ingress Controller does not apply to namespaces whose labels satisfy any of the configured selectors.
ImportantDo not include spaces around commas, for example, use
finance,HR,legal, and notfinance, HR, legal.- Set Namespace ownership policy for route admission when namespaces share hostnames, for example, select Strict for restrictive admission.
Set Wildcard policy to allow or disallow wildcard patterns in route hostnames, for example, select Disallowed to block wildcard host routes.
For more information about custom application ingress settings, click the information icon provided for each setting.
- Select Save to configure the ingress with your changes.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}