100%(3)3 out of 3 people found this document helpful
This preview shows page 387 - 389 out of 406 pages.
in, run the following commands to clean up any OpenShift Container Platform SDN-specificartifacts, which includes networks, subnets, and network namespaces:[[email protected] ~]#oc delete clusternetwork --all[[email protected] ~]#oc delete hostsubnets --all[[email protected] ~]#oc delete netnamespaces --allControlling Egress TrafficTo control egress traffic, you can allocate a number of static IP addresses to a specific node at thehost level. If developers need a dedicated IP address for an application service, they can requestone during the process used to ask for firewall access. They can then deploy an egress router froma project, using a node selector in the deployment configuration to ensure that the pod lands onthe host with the set of preallocated static IP addresses.The egress pod’s deployment declares one of the source IP addresses, the destination IP addressof the protected service, and a gateway IP address to reach the destination. After the pod isdeployed, you can create a service to access the egress router pod, and then add that source IPaddress to the external firewall. The developer then has access to the egress router service thatwas created in their project, for example,service.project.cluster.lab.example.com.You can control egress traffic in two ways:FirewallYou can use an egress firewall to enforce the acceptable outbound traffic policies, so thatspecific endpoints or IP ranges, or subnets are the only acceptable targets for the dynamicendpoints, that is, pods within OpenShift Container Platform to talk to.RouterYou can use an egress router to create identifiable services to send traffic to specificdestinations, ensuring external destinations manage traffic as though it were coming froma known source. This is recommended to increase security, because it secures an externalservice, such as a database, so that only specific pods in a namespace can talk to a service,such as an egress router, which proxies the traffic to application service, for example, adatabase.Installing FlannelFlannel is a virtual networking layer designed specifically for containers. OpenShift ContainerPlatform can use ﬂannel to network containers instead of using the default SDN components.This is useful if OpenShift Container Platform is deployed within a cloud provider platform thatalso relies on SDN, such as Red Hat OpenStack Platform, and you want to avoid encapsulatingpackets twice through both platforms. OpenShift Container Platform provides Ansible Playbooksfor installing ﬂannel-based networking.OpenShift Container Platform runs ﬂannel inhost-gwmode, which maps routes from container tocontainer. Each host within the network runs an agent calledflanneld, which is responsible for:DO380-OCP-3.6-en-2-20180925369
CHAPTER 10|Configuring Networking Options•Managing a unique subnet on each host.