Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Networking Operators
Managing networking-specific Operators in OpenShift Dedicated
Abstract
Chapter 1. DNS Operator in OpenShift Dedicated
In OpenShift Dedicated, the DNS Operator deploys and manages a CoreDNS instance to provide a name resolution service to pods inside the cluster, enables DNS-based Kubernetes Service discovery, and resolves internal cluster.local names.
This Operator is installed on OpenShift Dedicated clusters by default.
1.1. Using DNS forwarding
Configure DNS forwarding servers and upstream resolvers for the cluster.
You can use DNS forwarding to override the default forwarding configuration in the /etc/resolv.conf file in the following ways:
Specify name servers (
spec.servers) for every zone. If the forwarded zone is the ingress domain managed by OpenShift Dedicated, then the upstream name server must be authorized for the domain.ImportantYou must specify at least one zone. Otherwise, your cluster can lose functionality.
-
Provide a list of upstream DNS servers (
spec.upstreamResolvers). - Change the default forwarding policy.
A DNS forwarding configuration for the default domain can have both the default servers specified in the /etc/resolv.conf file and the upstream DNS servers.
During pod creation, Kubernetes uses the /etc/resolv.conf file that exists on a node. If you modify the /etc/resolv.conf file on a host node, the changes do not propagate to the /etc/resolv.conf file that exists in a container. You must re-create the container for changes to take effect.
Procedure
Modify the DNS Operator object named
default:$ oc edit dns.operator/defaultAfter you issue the previous command, the Operator creates and updates the config map named
dns-defaultwith additional server configuration blocks based onspec.servers.ImportantWhen specifying values for the
zonesparameter, ensure that you only forward to specific zones, such as your intranet. You must specify at least one zone. Otherwise, your cluster can lose functionality.If none of the servers have a zone that matches the query, then name resolution falls back to the upstream DNS servers.
Configuring DNS forwarding
apiVersion: operator.openshift.io/v1 kind: DNS metadata: name: default spec: cache: negativeTTL: 0s positiveTTL: 0s logLevel: Normal nodePlacement: {} operatorLogLevel: Normal servers: - name: example-server zones: - example.com forwardPlugin: policy: Random upstreams: - 1.1.1.1 - 2.2.2.2:5353 upstreamResolvers: policy: Random protocolStrategy: "" transportConfig: {} upstreams: - type: SystemResolvConf - type: Network address: 1.2.3.4 port: 53 status: clusterDomain: cluster.local clusterIP: x.y.z.10 conditions: ...where:
spec.servers.name-
Must comply with the
rfc6335service name syntax. spec.servers.zones-
Must conform to the
rfc1123subdomain syntax. The cluster domaincluster.localis invalid forzones. spec.servers.forwardPlugin.policy-
Specifies the upstream selection policy. Defaults to
Random; allowed values areRoundRobinandSequential. spec.servers.forwardPlugin.upstreams-
Must provide no more than 15
upstreamsentries perforwardPlugin. spec.upstreamResolvers.upstreams-
Specifies an
upstreamResolversto override the default forwarding policy and forward DNS resolution to the specified DNS resolvers (upstream resolvers) for the default domain. You can use this field when you need custom upstream resolvers; otherwise queries use the servers declared in/etc/resolv.conf. spec.upstreamResolvers.policy-
Specifies the upstream selection order. Defaults to
Sequential; allowed values areRandom,RoundRobin, andSequential. spec.upstreamResolvers.protocolStrategy-
Specify
TCPto force the protocol to use for upstream DNS requests, even if the request uses UDP. Valid values areTCPand omitted. When omitted, the platform chooses a default, normally the protocol of the original client request. spec.upstreamResolvers.transportConfig- Specifies the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.
spec.upstreamResolvers.upstreams.type-
Specifies two types of
upstreams:SystemResolvConforNetwork.SystemResolvConfconfigures the upstream to use/etc/resolv.confandNetworkdefines aNetworkresolver. You can specify one or both. spec.upstreamResolvers.upstreams.address-
Specifies a valid IPv4 or IPv6 address when type is
Network. spec.upstreamResolvers.upstreams.port-
Specifies an optional field to provide a port number. Valid values are between
1and65535; defaults to 853 when omitted.
Chapter 2. Ingress Operator in OpenShift Dedicated
The Ingress Operator implements the IngressController API and is the component responsible for enabling external access to OpenShift Dedicated cluster services.
This Operator is installed on OpenShift Dedicated clusters by default.
2.1. OpenShift Dedicated Ingress Operator
When you create your OpenShift Dedicated cluster, pods and services running on the cluster are each allocated their own IP addresses. The IP addresses are accessible to other pods and services running nearby but are not accessible to outside clients.
The Ingress Operator makes it possible for external clients to access your service by deploying and managing one or more HAProxy-based Ingress Controllers to handle routing.
Red Hat Site Reliability Engineers (SRE) manage the Ingress Operator for OpenShift Dedicated clusters. While you cannot alter the settings for the Ingress Operator, you may view the default Ingress Controller configurations, status, and logs as well as the Ingress Operator status.
2.2. View the default Ingress Controller
The Ingress Operator is a core feature of OpenShift Dedicated and is enabled out of the box.
Every new OpenShift Dedicated installation has an ingresscontroller named default. It can be supplemented with additional Ingress Controllers. If the default ingresscontroller is deleted, the Ingress Operator will automatically recreate it within a minute.
Procedure
View the default Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/default
2.3. View Ingress Operator status
You can view and inspect the status of your Ingress Operator.
Procedure
View your Ingress Operator status:
$ oc describe clusteroperators/ingress
2.4. View Ingress Controller logs
You can view your Ingress Controller logs.
Procedure
View your Ingress Controller logs:
$ oc logs --namespace=openshift-ingress-operator deployments/ingress-operator -c <container_name>
2.5. View Ingress Controller status
Your can view the status of a particular Ingress Controller.
Procedure
View the status of an Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/<name>
2.6. Management of default Ingress Controller functions
The following table details the components of the default Ingress Controller managed by the Ingress Operator and whether Red Hat Site Reliability Engineering (SRE) maintains this component on OpenShift Dedicated clusters.
| Ingress component | Managed by | Default configuration? |
|---|---|---|
| Scaling Ingress Controller | SRE | Yes |
| Ingress Operator thread count | SRE | Yes |
| Ingress Controller access logging | SRE | Yes |
| Ingress Controller sharding | SRE | Yes |
| Ingress Controller route admission policy | SRE | Yes |
| Ingress Controller wildcard routes | SRE | Yes |
| Ingress Controller X-Forwarded headers | SRE | Yes |
| Ingress Controller route compression | SRE | Yes |
2.7. Set namespace exclusions for the default ingress when creating a cluster
When you create an OpenShift Dedicated cluster in noninteractive mode, you can pass a namespace label selector so that namespaces matching those labels are excluded from the default application ingress. This allows you to exclude namespaces that host workloads through the default ingress, such as namespaces with sensitive data or internal services.
Prerequisites
-
You installed the
ocmCLI and logged in with credentials that can create clusters in Red Hat OpenShift Cluster Manager. -
You are using the noninteractive mode for
ocm create cluster. For interactive mode, use the prompts for ingress settings when they are available for yourocmversion.
Do not exclude namespaces that host required platform routes (for example, openshift-console or openshift-authentication). Excluding them can break the web console, downloads, or OAuth flows.
Procedure
-
Run
ocm create cluster -hand confirm that yourocmversion lists the--exclude-namespace-selectorflag. Build your
ocm create clustercommand with the required parameters for your cloud provider and subscription model.The following example shows only the ingress-related fragment. Replace the rest of the flags with the values required for your environment.
$ ocm create cluster <cluster_name> \ --provider=<aws_or_gcp> \ <other_required_flags> \ --default-ingress-excluded-namespace-selectors '<key>=<value>,<key2>=<value2>'where:
<cluster_name>- Specifies the cluster name.
--provider=<aws_or_gcp>- Specifies the cloud provider.
<other_required_flags>- Required parameters such as region, version, CCS settings, or billing flags, as described in the cluster creation documentation for your platform.
--default-ingress-excluded-namespace-selectors-
Specifies label selectors; namespaces whose labels match are excluded from the default application ingress, subject to validation by the service. Replace
<key>=<value>with your labels. Do not include spaces around the=sign.
Verification
After the cluster reaches
readystate, confirm ingress settings and inspect the default ingress object for the configured exclusion data.$ ocm list ingress -c <cluster_name>
2.8. Configure excluded namespaces for the default ingress controller
As a cluster administrator, you can use the OpenShift Cluster Manager CLI (ocm) to set which namespaces are excluded from the default application ingress on an existing cluster. Excluded namespaces do not have routes served by that ingress.
Prerequisites
-
You installed the
ocmCLI and logged in with credentials that can modify cluster ingress settings in Red Hat OpenShift Cluster Manager. - You have the cluster name, cluster ID, or external ID of your cluster.
Do not exclude namespaces that host required platform routes (for example, openshift-console or openshift-authentication). Excluding them can break the web console, downloads, or OAuth flows.
Procedure
Optional: Set your cluster name in a variable:
$ export CLUSTER_NAME=<cluster_name>List ingress endpoints for the cluster and note the
idof the default ingress:$ ocm list ingress -c ${CLUSTER_NAME}Optional: To store the default ingress ID in a variable:
$ export INGRESS_ID=$(ocm list ingress -c ${CLUSTER_NAME}| jq -r '.[] | select(.default == true) | .id')Edit the default ingress and set excluded namespaces as a comma-separated list of namespace names:
$ ocm edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} \ --excluded-namespaces 'namespace-one,namespace-two'Substitute
namespace-one,namespace-two, and any additional entries with the metadata names of the namespaces to exclude.
Verification
After the command completes, verify that the updated ingress object reflects your excluded namespace settings.
$ ocm list ingress -c <cluster_name>
Legal Notice
Copyright © Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of the OpenJS Foundation.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}