Questo contenuto non è disponibile nella lingua selezionata.
Chapter 3. Understanding and configuring the router
Learn about default and custom settings for configuring the router and route admission policy with MicroShift.
3.1. About configuring the router
To make ingress optional, you can configure MicroShift ingress router settings to manage which ports, if any, are exposed to network traffic. Specified routing is an example of ingress load balancing.
-
The default ingress router is always on, running on all IP addresses on the
http: 80
andhttps: 443
ports. - Default router settings allow access to any namespace.
Some applications running on top of MicroShift might not require the default router and instead create their own. You can configure the router to control both ingress and namespace access.
You can check for the presence of the default router in your MicroShift installation before you begin configurations by using the oc get deployment -n openshift-ingress
command, which returns the following output:
NAME READY UP-TO-DATE AVAILABLE AGE router-default 1/1 1 1 2d23h
3.1.1. Router settings and valid values
The ingress router settings consist of the following parameters and valid values:
Example config.yaml
router settings
# ... ingress: listenAddress: - "" 1 ports: 2 http: 80 https: 443 routeAdmissionPolicy: namespaceOwnership: InterNamespaceAllowed 3 status: Managed 4 # ...
- 1
- The
ingress.listenAddress
value defaults to the entire network of the host. Valid customizable values can be a single IP address or host name or a list of IP addresses or host names. - 2
- Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the
ports.http
andports.https
fields cannot be the same. - 3
- Default value. Allows routes to claim different paths of the same host name across namespaces.
- 4
- Default value.
Managed
is required for the ingress ports to remain open.
The firewalld service is bypassed by the default MicroShift router and by configurations that enable the router. Ingress and egress must be controlled by setting network policies when the router is active.
3.2. Disabling the router
In use cases such as industrial IoT spaces where MicroShift pods only need to connect to southbound operational systems and northbound cloud-data systems, inbound services are not needed. Use this procedure to disable the router in such egress-only use cases.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yaml
file. -
The OpenShift CLI (
oc
) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml
file at the same time, you can minimize system restarts.
Procedure
Update the value of
ingress.status
field toRemoved
in the MicroShiftconfig.yaml
file as shown in the following example:Example
config.yaml
ingress stanza# ... ingress: ports: http: 80 https: 443 routeAdmissionPolicy: namespaceOwnership: InterNamespaceAllowed status: Removed 1 # ...
- 1
- When the value is set to
Removed
, the ports listed iningress.ports
are automatically closed. Any other settings in theingress
stanza are ignored, for example, any values in therouteAdmissionPolicy.namespaceOwnership
field.
Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
NoteThe MicroShift service outputs current configurations during restarts.
Verification
After the system restarts, verify that the router has been removed and that ingress is stopped by running the following command:
$ oc -n openshift-ingress get svc
Expected output
No resources found in openshift-ingress namespace.
3.3. Configuring router ingress
If your MicroShift applications need to listen only for data traffic, you can configure the listenAddress
setting to isolate your devices. You can also configure specific ports and IP addresses for network connections. Use the combination required to customize the endpoint configuration for your use case.
3.3.1. Configuring router ports
You can control which ports your devices use by configuring the router ingress fields.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yaml
file. -
The OpenShift CLI (
oc
) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml
file at the same time, you can minimize system restarts.
Procedure
Update the MicroShift
config.yaml
port values in theingress.ports.http
andingress.ports.https
fields to the ports you want to use:Example
config.yaml
router settings# ... ingress: ports: 1 http: 80 https: 443 routeAdmissionPolicy: namespaceOwnership: InterNamespaceAllowed status: Managed 2 # ...
Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
3.3.2. Configuring router IP addresses
You can restrict the network traffic to the router by configuring specific IP addresses. For example:
- Use cases where the router is reachable only on internal networks, but not on northbound public networks
- Use cases where the router is reachable only by northbound public networks, but not on internal networks
- Use cases where the router is reachable by both internal networks and northbound public networks, but on separate IP addresses
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yaml
file. -
The OpenShift CLI (
oc
) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml
file at the same time, you can minimize system restarts.
Procedure
Update the list in the
ingress.listenAddress
field in the MicroShiftconfig.yaml
according to your requirements and as shown in the following examples:Default router IP address list
# ... ingress: listenAddress: - "<host_network>" 1 # ...
- 1
- The
ingress.listenAddress
value defaults to the entire network of the host. To continue to use the default list, remove thelisten.Address
field from the MicroShiftconfig.yaml
file. To customize this parameter, use a list. The list can contain either a single IP address or NIC name or multiple IP addresses and NIC names.
ImportantYou must either remove the
listenAddress
parameter or add values to it in the form of a list when using theconfig.yaml
file. Do not leave the field empty or MicroShift crashes on restart.Example router setting with a single host IP address
# ... ingress: listenAddress: - 10.2.1.100 # ...
Example router setting with a combination of IP addresses and NIC names
# ... ingress: listenAddress: - 10.2.1.100 - 10.2.2.10 - ens3 # ...
Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
Verification
-
To verify that your settings are applied, make sure that the
ingress.listenAddress
IP addresses are reachable, then you cancurl
the route with the destination to one of these load balancer IP address.
3.4. Additional resources
- Default settings (MicroShift)
- About network policies
3.5. Configuring the route admission policy
By default, MicroShift allows routes in multiple namespaces to use the same hostname. You can prevent routes from claiming the same hostname in different namespaces by configuring the route admission policy.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yaml
file. You installed the OpenShift CLI (
oc
).TipIf you complete all the configurations that you need to make in the MicroShift
config.yaml
file at the same time, you can minimize system restarts.
Procedure
To prevent routes in different namespaces from claiming the same hostname, update the
namespaceOwnership
field value toStrict
in the MicroShiftconfig.yaml
file. See the following example:Example
config.yaml
route admission policy# ... ingress: routeAdmissionPolicy: namespaceOwnership: Strict 1 # ...
- 1
- Prevents routes in different namespaces from claiming the same host. Valid values are
Strict
andInterNamespaceAllowed
. If you delete the value in a customizedconfig.yaml
, theInterNamespaceAllowed
value is set automatically.
To apply the configuration, restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift