Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Understanding and configuring the router
Learn about default and custom settings for configuring the router and route admission policy with MicroShift.
3.1. About configuring the router
To make ingress optional, you can configure MicroShift ingress router settings to manage which ports, if any, are exposed to network traffic. Specified routing is an example of ingress load balancing.
-
The default ingress router is always on, running on all IP addresses on the
http: 80andhttps: 443ports. - Default router settings allow access to any namespace.
Some applications running on top of MicroShift might not require the default router and instead create their own. You can configure the router to control both ingress and namespace access.
You can check for the presence of the default router in your MicroShift installation before you begin configurations by using the oc get deployment -n openshift-ingress command, which returns the following output:
NAME READY UP-TO-DATE AVAILABLE AGE router-default 1/1 1 1 2d23h
3.1.1. Router settings and valid values
The ingress router settings consist of the following parameters and valid values:
Example config.yaml router settings
# ...
ingress:
listenAddress:
- "" 1
ports: 2
http: 80
https: 443
routeAdmissionPolicy:
namespaceOwnership: InterNamespaceAllowed 3
status: Managed 4
# ...
- 1
- The
ingress.listenAddressvalue defaults to the entire network of the host. Valid customizable values can be a single IP address or host name or a list of IP addresses or host names. - 2
- Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the
ports.httpandports.httpsfields cannot be the same. - 3
- Default value. Allows routes to claim different paths of the same host name across namespaces.
- 4
- Default value.
Managedis required for the ingress ports to remain open.
The firewalld service is bypassed by the default MicroShift router and by configurations that enable the router. Ingress and egress must be controlled by setting network policies when the router is active.
3.2. Disabling the router
In use cases such as industrial IoT spaces where MicroShift pods only need to connect to southbound operational systems and northbound cloud-data systems, inbound services are not needed. Use this procedure to disable the router in such egress-only use cases.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. -
The OpenShift CLI (
oc) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.
Procedure
Update the value of
ingress.statusfield toRemovedin the MicroShiftconfig.yamlfile as shown in the following example:Example
config.yamlingress stanza# ... ingress: ports: http: 80 https: 443 routeAdmissionPolicy: namespaceOwnership: InterNamespaceAllowed status: Removed 1 # ...- 1
- When the value is set to
Removed, the ports listed iningress.portsare automatically closed. Any other settings in theingressstanza are ignored, for example, any values in therouteAdmissionPolicy.namespaceOwnershipfield.
Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
NoteThe MicroShift service outputs current configurations during restarts.
Verification
After the system restarts, verify that the router has been removed and that ingress is stopped by running the following command:
$ oc -n openshift-ingress get svc
Expected output
No resources found in openshift-ingress namespace.
3.3. Configuring router ingress
If your MicroShift applications need to listen only for data traffic, you can configure the listenAddress setting to isolate your devices. You can also configure specific ports and IP addresses for network connections. Use the combination required to customize the endpoint configuration for your use case.
3.3.1. Configuring router ports
You can control which ports your devices use by configuring the router ingress fields.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. -
The OpenShift CLI (
oc) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.
Procedure
Update the MicroShift
config.yamlport values in theingress.ports.httpandingress.ports.httpsfields to the ports you want to use:Example
config.yamlrouter settings# ... ingress: ports: 1 http: 80 https: 443 routeAdmissionPolicy: namespaceOwnership: InterNamespaceAllowed status: Managed 2 # ...
Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
3.3.2. Configuring router IP addresses
You can restrict the network traffic to the router by configuring specific IP addresses. For example:
- Use cases where the router is reachable only on internal networks, but not on northbound public networks
- Use cases where the router is reachable only by northbound public networks, but not on internal networks
- Use cases where the router is reachable by both internal networks and northbound public networks, but on separate IP addresses
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. -
The OpenShift CLI (
oc) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.
Procedure
Update the list in the
ingress.listenAddressfield in the MicroShiftconfig.yamlaccording to your requirements and as shown in the following examples:Default router IP address list
# ... ingress: listenAddress: - "<host_network>" 1 # ...- 1
- The
ingress.listenAddressvalue defaults to the entire network of the host. To continue to use the default list, remove thelisten.Addressfield from the MicroShiftconfig.yamlfile. To customize this parameter, use a list. The list can contain either a single IP address or NIC name or multiple IP addresses and NIC names.
ImportantYou must either remove the
listenAddressparameter or add values to it in the form of a list when using theconfig.yamlfile. Do not leave the field empty or MicroShift crashes on restart.Example router setting with a single host IP address
# ... ingress: listenAddress: - 10.2.1.100 # ...Example router setting with a combination of IP addresses and NIC names
# ... ingress: listenAddress: - 10.2.1.100 - 10.2.2.10 - ens3 # ...Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
Verification
-
To verify that your settings are applied, make sure that the
ingress.listenAddressIP addresses are reachable, then you cancurlthe route with the destination to one of these load balancer IP address.
3.4. Additional resources
- Default settings (MicroShift)
- About network policies
3.5. Configuring the route admission policy
By default, MicroShift allows routes in multiple namespaces to use the same hostname. You can prevent routes from claiming the same hostname in different namespaces by configuring the route admission policy.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. You installed the OpenShift CLI (
oc).TipIf you complete all the configurations that you need to make in the MicroShift
config.yamlfile at the same time, you can minimize system restarts.
Procedure
To prevent routes in different namespaces from claiming the same hostname, update the
namespaceOwnershipfield value toStrictin the MicroShiftconfig.yamlfile. See the following example:Example
config.yamlroute admission policy# ... ingress: routeAdmissionPolicy: namespaceOwnership: Strict 1 # ...- 1
- Prevents routes in different namespaces from claiming the same host. Valid values are
StrictandInterNamespaceAllowed. If you delete the value in a customizedconfig.yaml, theInterNamespaceAllowedvalue is set automatically.
To apply the configuration, restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
