Questo contenuto non è disponibile nella lingua selezionata.

Chapter 3. Understanding and configuring the router


Learn about default and custom settings for configuring the router and route admission policy with MicroShift.

3.1. About configuring the router

To make ingress optional, you can configure MicroShift ingress router settings to manage which ports, if any, are exposed to network traffic. Specified routing is an example of ingress load balancing.

  • The default ingress router is always on, running on all IP addresses on the http: 80 and https: 443 ports.
  • Default router settings allow access to any namespace.

Some applications running on top of MicroShift might not require the default router and instead create their own. You can configure the router to control both ingress and namespace access.

Tip

You can check for the presence of the default router in your MicroShift installation before you begin configurations by using the oc get deployment -n openshift-ingress command, which returns the following output:

NAME             READY   UP-TO-DATE   AVAILABLE   AGE
router-default   1/1     1            1           2d23h

3.1.1. Router settings and valid values

The ingress router settings consist of the following parameters and valid values:

Example config.yaml router settings

# ...
ingress:
  listenAddress:
    - ""  1
  ports: 2
    http: 80
    https: 443
  routeAdmissionPolicy:
    namespaceOwnership: InterNamespaceAllowed 3
  status: Managed 4
# ...

1
The ingress.listenAddress value defaults to the entire network of the host. Valid customizable values can be a single IP address or host name or a list of IP addresses or host names.
2
Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the ports.http and ports.https fields cannot be the same.
3
Default value. Allows routes to claim different paths of the same host name across namespaces.
4
Default value. Managed is required for the ingress ports to remain open.
Important

The firewalld service is bypassed by the default MicroShift router and by configurations that enable the router. Ingress and egress must be controlled by setting network policies when the router is active.

3.2. Disabling the router

In use cases such as industrial IoT spaces where MicroShift pods only need to connect to southbound operational systems and northbound cloud-data systems, inbound services are not needed. Use this procedure to disable the router in such egress-only use cases.

Prerequisites

  • You installed MicroShift.
  • You created a MicroShift config.yaml file.
  • The OpenShift CLI (oc) is installed.
Tip

If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.

Procedure

  1. Update the value of ingress.status field to Removed in the MicroShift config.yaml file as shown in the following example:

    Example config.yaml ingress stanza

    # ...
    ingress:
      ports:
        http: 80
        https: 443
      routeAdmissionPolicy:
        namespaceOwnership: InterNamespaceAllowed
      status: Removed 1
    # ...

    1
    When the value is set to Removed, the ports listed in ingress.ports are automatically closed. Any other settings in the ingress stanza are ignored, for example, any values in the routeAdmissionPolicy.namespaceOwnership field.
  2. Restart the MicroShift service by running the following command:

    $ sudo systemctl restart microshift
    Note

    The MicroShift service outputs current configurations during restarts.

Verification

  • After the system restarts, verify that the router has been removed and that ingress is stopped by running the following command:

    $ oc -n openshift-ingress get svc

    Expected output

    No resources found in openshift-ingress namespace.

3.3. Configuring router ingress

If your MicroShift applications need to listen only for data traffic, you can configure the listenAddress setting to isolate your devices. You can also configure specific ports and IP addresses for network connections. Use the combination required to customize the endpoint configuration for your use case.

3.3.1. Configuring router ports

You can control which ports your devices use by configuring the router ingress fields.

Prerequisites

  • You installed MicroShift.
  • You created a MicroShift config.yaml file.
  • The OpenShift CLI (oc) is installed.
Tip

If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.

Procedure

  1. Update the MicroShift config.yaml port values in the ingress.ports.http and ingress.ports.https fields to the ports you want to use:

    Example config.yaml router settings

    # ...
    ingress:
      ports: 1
        http: 80
        https: 443
      routeAdmissionPolicy:
        namespaceOwnership: InterNamespaceAllowed
      status: Managed 2
    # ...

    1
    Default ports shown. Customizable. Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the ports.http and ports.https fields cannot be the same.
    2
    The default value. Managed is required for the ingress ports to remain open.
  2. Restart the MicroShift service by running the following command:

    $ sudo systemctl restart microshift

3.3.2. Configuring router IP addresses

You can restrict the network traffic to the router by configuring specific IP addresses. For example:

  • Use cases where the router is reachable only on internal networks, but not on northbound public networks
  • Use cases where the router is reachable only by northbound public networks, but not on internal networks
  • Use cases where the router is reachable by both internal networks and northbound public networks, but on separate IP addresses

Prerequisites

  • You installed MicroShift.
  • You created a MicroShift config.yaml file.
  • The OpenShift CLI (oc) is installed.
Tip

If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.

Procedure

  1. Update the list in the ingress.listenAddress field in the MicroShift config.yaml according to your requirements and as shown in the following examples:

    Default router IP address list

    # ...
    ingress:
      listenAddress:
        - "<host_network>" 1
    # ...

    1
    The ingress.listenAddress value defaults to the entire network of the host. To continue to use the default list, remove the listen.Address field from the MicroShift config.yaml file. To customize this parameter, use a list. The list can contain either a single IP address or NIC name or multiple IP addresses and NIC names.
    Important

    You must either remove the listenAddress parameter or add values to it in the form of a list when using the config.yaml file. Do not leave the field empty or MicroShift crashes on restart.

    Example router setting with a single host IP address

    # ...
    ingress:
      listenAddress:
        - 10.2.1.100
    # ...

    Example router setting with a combination of IP addresses and NIC names

    # ...
    ingress:
      listenAddress:
        - 10.2.1.100
        - 10.2.2.10
        - ens3
    # ...

  2. Restart the MicroShift service by running the following command:

    $ sudo systemctl restart microshift

Verification

  • To verify that your settings are applied, make sure that the ingress.listenAddress IP addresses are reachable, then you can curl the route with the destination to one of these load balancer IP address.

3.4. Additional resources

3.5. Configuring the route admission policy

By default, MicroShift allows routes in multiple namespaces to use the same hostname. You can prevent routes from claiming the same hostname in different namespaces by configuring the route admission policy.

Prerequisites

  • You installed MicroShift.
  • You created a MicroShift config.yaml file.
  • You installed the OpenShift CLI (oc).

    Tip

    If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.

Procedure

  1. To prevent routes in different namespaces from claiming the same hostname, update the namespaceOwnership field value to Strict in the MicroShift config.yaml file. See the following example:

    Example config.yaml route admission policy

    # ...
    ingress:
      routeAdmissionPolicy:
        namespaceOwnership: Strict 1
    # ...

    1
    Prevents routes in different namespaces from claiming the same host. Valid values are Strict and InterNamespaceAllowed. If you delete the value in a customized config.yaml, the InterNamespaceAllowed value is set automatically.
  2. To apply the configuration, restart the MicroShift service by running the following command:

    $ sudo systemctl restart microshift
Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.