Highlighted
  • 184 Views

router in openshift

router pod in opc4.2 is associated with router service account and using hostnetwork.

But i did not get any scc which is having router service account it in.

Then how it works exactly.

Labels (1)
Tags (2)
0 Kudos
1 Reply
Moderator
Moderator
  • 141 Views

Re: router in openshift

If you look at one of your route pods, you can see that it runs under the restricted scc and the router sa thenit cannot use host network:

$ oc get pod -n openshift-ingress
NAME READY STATUS RESTARTS AGE
router-default-7878485b45-9rkhj 1/1 Running 0 36d
router-default-7878485b45-xj92l 1/1 Running 0 36d

$ oc get pod router-default-7878485b45-9rkhj -n openshift-ingress -o yaml | grep scc
openshift.io/scc: restricted

$ oc get pod router-default-7878485b45-9rkhj -n openshift-ingress -o yaml | grep serviceAccount
serviceAccount: router
serviceAccountName: router

The restricted scc is the default scc that all pods use by default. It grants no special network privileges:

$ oc get scc restricted -o yaml | grep HostNetwork
allowHostNetwork: false

The magic in my AWS cluster comes from a LoadBalancer service:

$ oc get service -n openshift-ingress
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
router-default LoadBalancer 172.30.xxx.xx ad0504a4fc7ac48878d8cf62f29fxxxx-19749xxxx.sa-east-1.elb.amazonaws.com 80:32581/TCP,443:32109/TCP 36d
router-internal-default ClusterIP 172.30.xx.xx <none> 80/TCP,443/TCP,1936/TCP 36d

That service interacts with a load balancer that is external to the cluster (in my example, an AWS load balancer) and redirects traffic to the standard (ClusterIP) service that connects to router pors.

OpenShift 4 requires either cloud provider integration or a manually-configured external load balancer that connects to router pods. The manually-configured external load balancer, used for example with Bare Metal UPI installations, requires that router pods use a NodePort service.

There's also a possibility of using host network to connect an external LB with router pods. That would require using an scc other than restricted. I do not have a suitable cluster to show you how it's done but maybe you can find the details here: https://github.com/openshift/cluster-ingress-operator

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.