Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 3. Understanding and configuring the router
To control how external traffic reaches your applications and limit ingress exposure in MicroShift, you can configure router listen addresses, ports, IP bindings, and route admission policy.
3.1. About configuring the router
To make ingress optional, you can configure MicroShift ingress router settings to manage which ports, if any, are exposed to network traffic. Specified routing is an example of ingress load balancing.
-
The default ingress router is always on, running on all IP addresses on the
http: 80andhttps: 443ports. - Default router settings allow access to any namespace.
Some applications running on top of MicroShift might not require the default router and instead create their own. You can configure the router to control both ingress and namespace access.
You can check for the presence of the default router in your MicroShift installation before you begin configurations by using the oc get deployment -n openshift-ingress command, which returns the following output:
NAME READY UP-TO-DATE AVAILABLE AGE
router-default 1/1 1 1 2d23h3.1.1. Router settings and valid values
Valid values and defaults for ingress router fields in the config.yaml file on MicroShift cover listenAddress, ports, routeAdmissionPolicy, and status.
Example config.yaml router settings
# ...
ingress:
listenAddress:
- ""
ports:
http: 80
https: 443
routeAdmissionPolicy:
namespaceOwnership: InterNamespaceAllowed
status: Managed
# ...where:
ingress.listenAddress- Specifies the single IP address or host name or a list of IP addresses or host names. The default value is the entire network of the host.
ingress.ports-
Specifies a single, unique port in the
1to65535range. The values of theports.httpandports.httpsfields cannot be the same. ingress.routeAdmissionPolicy.namespaceOwnership-
Specifies whether routes can claim different paths of the same host name across namespaces. The default value is
InterNamespaceAllowed. ingress.status-
Specifies whether the ingress ports remain open. The default value is
Managed.
The firewalld service is bypassed by the default MicroShift router and by configurations that enable the router. Ingress and egress must be controlled by setting network policies when the router is active.
3.2. Disabling the router
To disable the router in MicroShift when inbound services are not required, including in industrial IoT environments where pods connect only to southbound operational systems and northbound cloud-data systems, set ingress.status to Removed in the config.yaml file and restart the service.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. -
The OpenShift CLI (
oc) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.
Procedure
Update the value of
ingress.statusfield toRemovedin the MicroShiftconfig.yamlfile as shown in the following example:Example
config.yamlingress stanza# ... ingress: ports: http: 80 https: 443 routeAdmissionPolicy: namespaceOwnership: InterNamespaceAllowed status: Removed # ...where:
ingress.status-
Specifies whether the ingress ports remain open. When the value is set to
Removed, the ports listed iningress.portsare automatically closed. Any other settings in theingressstanza are ignored, for example, any values in therouteAdmissionPolicy.namespaceOwnershipfield.
Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshiftNoteThe MicroShift service outputs current configurations during restarts.
Verification
After the system restarts, verify that the router has been removed and that ingress is stopped by running the following command:
$ oc -n openshift-ingress get svcExpected output
No resources found in openshift-ingress namespace.
3.3. Configuring router ingress
Configure the listenAddress setting if your MicroShift applications need to listen only for data traffic. You can also configure specific ports and IP addresses for network connections. Use the combination required to customize the endpoint configuration for your use case.
3.3.1. Configuring router ports
To bind the ingress router to specific HTTP and HTTPS port numbers in MicroShift, you can edit the ingress.ports.http and ingress.ports.https settings in config.yaml file.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. -
The OpenShift CLI (
oc) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.
Procedure
Update the MicroShift
config.yamlport values in theingress.ports.httpandingress.ports.httpsfields to the ports you want to use:Example
config.yamlrouter settings# ... ingress: ports: http: 80 https: 443 routeAdmissionPolicy: namespaceOwnership: InterNamespaceAllowed status: Managed # ...where:
ingress.ports-
Specifies the HTTP and HTTPS port numbers to bind the ingress router to. This field is customizable. Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the
ports.httpandports.httpsfields cannot be the same. status-
Specifies the status of the ingress ports. The default value is
Managed.Managedis required for the ingress ports to remain open.
Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
3.3.2. Configuring router IP addresses
To limit ingress to selected host IP addresses or network interfaces in MicroShift, you can set the ingress.listenAddress list in your config.yaml file.
You can restrict the network traffic to the router by configuring specific IP addresses. For example:
- Use cases where the router is reachable only on internal networks, but not on northbound public networks
- Use cases where the router is reachable only by northbound public networks, but not on internal networks
- Use cases where the router is reachable by both internal networks and northbound public networks, but on separate IP addresses
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. -
The OpenShift CLI (
oc) is installed.
If you complete all the configurations that you need to make in the MicroShift config.yaml file at the same time, you can minimize system restarts.
Procedure
Update the list in the
ingress.listenAddressfield in the MicroShiftconfig.yamlaccording to your requirements and as shown in the following examples:Default router IP address list
# ... ingress: listenAddress: - "<host_network>" # ...where:
ingress.listenAddress-
Specifies the IP addresses or network interfaces to limit ingress to. The default value is the entire network of the host. To continue to use the default list, remove the
listen.Addressfield from the MicroShiftconfig.yamlfile. To customize this parameter, use a list. The list can contain either a single IP address or NIC name or multiple IP addresses and NIC names.
ImportantYou must either remove the
listenAddressparameter or add values to it in the form of a list when using theconfig.yamlfile. Do not leave the field empty or MicroShift crashes on restart.Example router setting with a single host IP address
# ... ingress: listenAddress: - 10.2.1.100 # ...Example router setting with a combination of IP addresses and NIC names
# ... ingress: listenAddress: - 10.2.1.100 - 10.2.2.10 - ens3 # ...Restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
Verification
-
To verify that your settings are applied, make sure that the
ingress.listenAddressIP addresses are reachable, then you cancurlthe route with the destination to one of these load balancer IP address.
3.5. Configuring the route admission policy
By default, MicroShift allows routes in multiple namespaces to use the same hostname. To prevent routes from claiming the same hostname in different namespaces, you can configure the route admission policy.
Prerequisites
- You installed MicroShift.
-
You created a MicroShift
config.yamlfile. You installed the OpenShift CLI (
oc).TipIf you complete all the configurations that you need to make in the MicroShift
config.yamlfile at the same time, you can minimize system restarts.
Procedure
To prevent routes in different namespaces from claiming the same hostname, update the
namespaceOwnershipfield value toStrictin the MicroShiftconfig.yamlfile. See the following example:Example
config.yamlroute admission policy# ... ingress: routeAdmissionPolicy: namespaceOwnership: Strict # ...where:
ingress.routeAdmissionPolicy.namespaceOwnership-
Specifies the route admission policy. Prevents routes in different namespaces from claiming the same host. Valid values are
StrictandInterNamespaceAllowed. If you delete the value in a customizedconfig.yaml, theInterNamespaceAllowedvalue is set automatically.
To apply the configuration, restart the MicroShift service by running the following command:
$ sudo systemctl restart microshift
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}