cancel
Showing results for 
Search instead for 
Did you mean: 
  • 835 Views

router in openshift

router pod in opc4.2 is associated with router service account and using hostnetwork.

But i did not get any scc which is having router service account it in.

Then how it works exactly.

Labels (1)
Tags (2)
0 Kudos
1 Reply
flozano
Moderator
Moderator
  • 792 Views

If you look at one of your route pods, you can see that it runs under the restricted scc and the router sa thenit cannot use host network:

$ oc get pod -n openshift-ingress
NAME READY STATUS RESTARTS AGE
router-default-7878485b45-9rkhj 1/1 Running 0 36d
router-default-7878485b45-xj92l 1/1 Running 0 36d

$ oc get pod router-default-7878485b45-9rkhj -n openshift-ingress -o yaml | grep scc
openshift.io/scc: restricted

$ oc get pod router-default-7878485b45-9rkhj -n openshift-ingress -o yaml | grep serviceAccount
serviceAccount: router
serviceAccountName: router

The restricted scc is the default scc that all pods use by default. It grants no special network privileges:

$ oc get scc restricted -o yaml | grep HostNetwork
allowHostNetwork: false

The magic in my AWS cluster comes from a LoadBalancer service:

$ oc get service -n openshift-ingress
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
router-default LoadBalancer 172.30.xxx.xx ad0504a4fc7ac48878d8cf62f29fxxxx-19749xxxx.sa-east-1.elb.amazonaws.com 80:32581/TCP,443:32109/TCP 36d
router-internal-default ClusterIP 172.30.xx.xx <none> 80/TCP,443/TCP,1936/TCP 36d

That service interacts with a load balancer that is external to the cluster (in my example, an AWS load balancer) and redirects traffic to the standard (ClusterIP) service that connects to router pors.

OpenShift 4 requires either cloud provider integration or a manually-configured external load balancer that connects to router pods. The manually-configured external load balancer, used for example with Bare Metal UPI installations, requires that router pods use a NodePort service.

There's also a possibility of using host network to connect an external LB with router pods. That would require using an scc other than restricted. I do not have a suitable cluster to show you how it's done but maybe you can find the details here: https://github.com/openshift/cluster-ingress-operator

0 Kudos
Join the discussion
You must log in to join this conversation.