diff --git a/_topic_map.yml b/_topic_map.yml index 7103c08fe6..3f765f93da 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -217,8 +217,8 @@ Topics: Topics: - Name: DNS Operator in OpenShift Container Platform File: dns-operator -- Name: Configuring the network - File: configuring-network-operator +- Name: Configuring kube-proxy + File: configuring-kube-proxy Distros: openshift-enterprise,openshift-origin - Name: Configuring network policy File: configuring-networkpolicy diff --git a/modules/nw-kube-proxy-config.adoc b/modules/nw-kube-proxy-config.adoc new file mode 100644 index 0000000000..ad0c92fc14 --- /dev/null +++ b/modules/nw-kube-proxy-config.adoc @@ -0,0 +1,29 @@ +// Module included in the following assemblies: +// * networking/configuring-kubeproxy.adoc + +[id="modifying-kubeproxy-config-{context}"] += kube-proxy configuration parameters + +You can modify the following `kubeProxyConfig` parameters: + +.Parameters +[cols=".^2,.^3,.^3,.^2a",options="header"] +|==== +|Parameter|Description|Values|Default + +|`iptablesSyncPeriod` +|The refresh period for `iptables` rules. +|A time interval, such as `30s` or `2m`. Valid +suffixes include `s`, `m`, and `h` and are described in the +link:https://golang.org/pkg/time/#ParseDuration[Go time package] documentation. +|`30s` + +|`proxyArguments.iptables-min-sync-period` +|The minimum duration before refreshing `iptables` rules. This parameter ensures +that the refresh does not happen too frequently. +|A time interval, such as `30s` or `2m`. Valid suffixes include `s`, +`m`, and `h` and are described in the +link:https://golang.org/pkg/time/#ParseDuration[Go time package] +|`30s` + +|==== diff --git a/modules/nw-kube-proxy-configuring.adoc b/modules/nw-kube-proxy-configuring.adoc new file mode 100644 index 0000000000..9469c44981 --- /dev/null +++ b/modules/nw-kube-proxy-configuring.adoc @@ -0,0 +1,88 @@ +// Module included in the following assemblies: +// * networking/configuring-kubeproxy.adoc + +[id="modifying-kubeproxy-configuration-{context}"] += Modifying the kube-proxy configuration + +You can modify the Kubernetes network proxy configuration for your cluster. + +.Prerequisites + +* Install the OpenShift Command-line Interface (CLI), commonly known as `oc`. +* Log in to a running cluster with the `cluster-admin` role. + +.Procedure + +. Edit the `Network.operator.openshift.io` Custom Resource (CR) by running the +following command: ++ +---- +$ oc edit network.operator.openshift.io cluster +---- + +. Modify the `kubeProxyConfig` parameter in the CR with your changes to the +kube-proxy configuration, such as in the following example CR: ++ +[source,yaml] +---- +apiVersion: operator.openshift.io/v1 +kind: Network +metadata: + name: cluster +spec: + kubeProxyConfig: + iptablesSyncPeriod: 30s + proxyArguments: + iptables-min-sync-period: ["30s"] +---- + +. Save the file and exit the text editor. ++ +The syntax is validated by the `oc` command when you save the file and exit the +editor. If your modifications contain a syntax error, the editor opens the file +and displays an error message. + +. Run the following command to confirm the configuration update: ++ +---- +$ oc get networks.operator.openshift.io -o yaml +---- ++ +The command returns output similar to the following example: ++ +[source,yaml] +---- +apiVersion: v1 +items: +- apiVersion: operator.openshift.io/v1 + kind: Network + metadata: + name: cluster + spec: + clusterNetwork: + - cidr: 10.128.0.0/14 + hostPrefix: 23 + defaultNetwork: + type: OpenShiftSDN + kubeProxyConfig: + iptablesSyncPeriod: 30s + proxyArguments: + iptables-min-sync-period: + - 30s + serviceNetwork: + - 172.30.0.0/16 + status: {} +kind: List +---- + +. Optionally, run the following command to confirm that the Cluster Network +Operator accepted the configuration change: ++ +---- +$ oc get clusteroperator network +NAME VERSION AVAILABLE PROGRESSING FAILING SINCE +network 4.1.0-0.9 True False False 1m +---- ++ +The `AVAILABLE` field is `True` when the configuration update is applied +successfully. diff --git a/modules/nw-kube-proxy-sync.adoc b/modules/nw-kube-proxy-sync.adoc new file mode 100644 index 0000000000..cbb0fbe47c --- /dev/null +++ b/modules/nw-kube-proxy-sync.adoc @@ -0,0 +1,14 @@ +// Module included in the following assemblies: +// * networking/configuring-kubeproxy.adoc + +[id="modifying-kubeproxy-sync-{context}"] += About iptables rules synchronization + +The synchronization period determines how frequently the Kubernetes network +proxy (kube-proxy) syncs the iptables rules on a node. + +A sync begins when either of the following events occurs: + +* An event occurs, such as service or endpoint is added to or removed from the +cluster. +* The time since the last sync exceeds the sync period defined for kube-proxy. diff --git a/modules/nw-modify-config.adoc b/modules/nw-modify-config.adoc deleted file mode 100644 index d49d8bfb98..0000000000 --- a/modules/nw-modify-config.adoc +++ /dev/null @@ -1,78 +0,0 @@ -// Module included in the following assemblies: -// * networking/configuring-network-operator.adoc - -[id="network-modifying-config_{context}"] -= Modifying network configuration in a running cluster - -The Network Operator reconciles the state of the cluster against a desired -configuration. - -// "You can also create new additionalNetworks" -You can modify only `kubeProxy` configuration parameters in a running cluster. - -.Prerequisites - -* Install the OpenShift Command-line Interface (CLI), commonly known as `oc`. -* Log in to a running cluster with the `cluster-admin` role. - -.Procedure - -. Use the following command to edit the `Network.operator.openshift.io` Custom -Resource (CR): -+ ----- -$ oc edit network.operator.openshift.io cluster ----- -+ -The following example output shows a `Network.operator.openshift.io` CR that is -configured with default values. -+ -[source,yaml] ----- -# Please edit the object below. Lines beginning with a '#' will be ignored, -# and an empty file will abort the edit. If an error occurs while saving this file will be -# reopened with the relevant failures. -# -apiVersion: operator.openshift.io/v1 -kind: Network -metadata: - name: cluster -spec: - clusterNetwork: - - cidr: 10.128.0.0/14 - hostPrefix: 23 - defaultNetwork: - type: OpenShiftSDN - serviceNetwork: - - 172.30.0.0/16 -status: {} ----- - -. Add the following code to the `spec` field in the -`Network.operator.openshift.io` CR: -+ -[source,yaml] ----- -spec: - deployKubeProxy: false - kubeProxyConfig: - iptablesSyncPeriod: 30s - bindAddress: 0.0.0.0 - proxyArguments: - - "iptables-min-sync-period": ["30s"] ----- - -. Save the file and exit the text editor. -+ -The syntax is validated by the `oc` command when you save the file and exit the -editor. If your modifications contain a syntax error, the editor opens the file -and displays an error message. - -. Run the following command to confirm that the Network Operator accepted the -updated configuration: -+ ----- -$ oc get clusteroperator network -NAME VERSION AVAILABLE PROGRESSING FAILING SINCE -network 4.0.0-0.9 True False False 1m ----- diff --git a/networking/configuring-kube-proxy.adoc b/networking/configuring-kube-proxy.adoc new file mode 100644 index 0000000000..b7ac49f4fb --- /dev/null +++ b/networking/configuring-kube-proxy.adoc @@ -0,0 +1,14 @@ +[id="configuring-kube-proxy"] += Configuring kube-proxy +include::modules/common-attributes.adoc[] +:context: configuring-kube-proxy + +toc::[] + +The Kubernetes network proxy (kube-proxy) runs on each node and is managed by +the Cluster Network Operator (CNO). kube-proxy maintains network rules for +forwarding connections for endpoints associated with services. + +include::modules/nw-kube-proxy-sync.adoc[leveloffset=+1] +include::modules/nw-kube-proxy-configuring.adoc[leveloffset=+1] +include::modules/nw-kube-proxy-config.adoc[leveloffset=+1] diff --git a/networking/configuring-network-operator.adoc b/networking/configuring-network-operator.adoc deleted file mode 100644 index 07f3d3e95d..0000000000 --- a/networking/configuring-network-operator.adoc +++ /dev/null @@ -1,21 +0,0 @@ -[id="configuring-network-operator"] -= Configuring networking -include::modules/common-attributes.adoc[] -:context: configuring-network-operator - -toc::[] - -The Network Operator installs and upgrades the networking components on an -{product-title} cluster. If you want to customize the network configuration, you -must modify the settings before installing the cluster. - -[IMPORTANT] -==== -You cannot modify your network settings after you install the cluster. -==== - -//Advanced network configuration defaults in operator config -include::modules/nw-operator-cr.adoc[leveloffset=+1] - -//Modifying network configuration in a running cluster -include::modules/nw-modify-config.adoc[leveloffset=+1]