In run the following commands to clean up any

This preview shows page 387 - 389 out of 406 pages.

in, run the following commands to clean up any OpenShift Container Platform SDN-specific artifacts, which includes networks, subnets, and network namespaces: [[email protected] ~]# oc delete clusternetwork --all [[email protected] ~]# oc delete hostsubnets --all [[email protected] ~]# oc delete netnamespaces --all Controlling Egress Traffic To control egress traffic, you can allocate a number of static IP addresses to a specific node at the host level. If developers need a dedicated IP address for an application service, they can request one during the process used to ask for firewall access. They can then deploy an egress router from a project, using a node selector in the deployment configuration to ensure that the pod lands on the host with the set of preallocated static IP addresses. The egress pod’s deployment declares one of the source IP addresses, the destination IP address of the protected service, and a gateway IP address to reach the destination. After the pod is deployed, you can create a service to access the egress router pod, and then add that source IP address to the external firewall. The developer then has access to the egress router service that was created in their project, for example, service.project.cluster.lab.example.com . You can control egress traffic in two ways: Firewall You can use an egress firewall to enforce the acceptable outbound traffic policies, so that specific endpoints or IP ranges, or subnets are the only acceptable targets for the dynamic endpoints, that is, pods within OpenShift Container Platform to talk to. Router You can use an egress router to create identifiable services to send traffic to specific destinations, ensuring external destinations manage traffic as though it were coming from a known source. This is recommended to increase security, because it secures an external service, such as a database, so that only specific pods in a namespace can talk to a service, such as an egress router, which proxies the traffic to application service, for example, a database. Installing Flannel Flannel is a virtual networking layer designed specifically for containers. OpenShift Container Platform can use flannel to network containers instead of using the default SDN components. This is useful if OpenShift Container Platform is deployed within a cloud provider platform that also relies on SDN, such as Red Hat OpenStack Platform, and you want to avoid encapsulating packets twice through both platforms. OpenShift Container Platform provides Ansible Playbooks for installing flannel-based networking. OpenShift Container Platform runs flannel in host-gw mode, which maps routes from container to container. Each host within the network runs an agent called flanneld , which is responsible for: DO380-OCP-3.6-en-2-20180925 369
CHAPTER 10 | Configuring Networking Options Managing a unique subnet on each host.

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture