openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/installation-load-balancing-user-infra.adoc
dfitzmau 40363999a4 OSDOCS-17013-bm-upi-8: CQA BM UPI doc
2026-01-26 15:11:14 +00:00

132 lines
5.5 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * installing/installing_bare_metal/upi/installing-bare-metal.adoc
// * installing/installing_bare_metal/upi/installing-bare-metal-network-customizations.adoc
// * installing/installing_bare_metal/upi/installing-restricted-networks-bare-metal.adoc
// * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
// * installing/installing_ibm_z/installing-ibm-z.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
// * installing/installing_ibm_z/installing-ibm-power.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-power.adoc
// * installing/installing_openstack/installing-openstack-installer-custom.adoc
ifeval::["{context}" == "installing-openstack-installer-custom"]
:user-managed-lb:
endif::[]
:_mod-docs-content-type: CONCEPT
[id="installation-load-balancing-user-infra_{context}"]
= Load balancing requirements for user-provisioned infrastructure
[role="_abstract"]
ifndef::user-managed-lb[]
Before you install {product-title}, you must provision the API and application Ingress load balancing infrastructure. In production scenarios, you can deploy the API and application Ingress load balancers separately so that you can scale the load balancer infrastructure for each in isolation.
endif::user-managed-lb[]
ifdef::user-managed-lb[]
Before you install {product-title}, you can provision your own API and application ingress load balancing infrastructure to use in place of the default, internal load balancing solution. In production scenarios, you can deploy the API and application Ingress load balancers separately so that you can scale the load balancer infrastructure for each in isolation.
endif::user-managed-lb[]
[NOTE]
====
If you want to deploy the API and application Ingress load balancers with a {op-system-base-full} instance, you must purchase the {op-system-base} subscription separately.
====
The load balancing infrastructure must meet the following requirements:
* API load balancer: Provides a common endpoint for users, both human and machine, to interact with and configure the platform. Configure the following conditions:
** Layer 4 load balancing only. This can be referred to as Raw TCP or SSL Passthrough mode.
** A stateless load balancing algorithm. The options vary based on the load balancer implementation.
[IMPORTANT]
====
Do not configure session persistence for an API load balancer. Configuring session persistence for a Kubernetes API server might cause performance issues from excess application traffic for your {product-title} cluster and the Kubernetes API that runs inside the cluster.
====
Configure the following ports on both the front and back of the API load balancers:
[cols="2,5,^2,^2,2",options="header"]
|===
|Port
|Back-end machines (pool members)
|Internal
|External
|Description
|`6443`
|Bootstrap and control plane. You remove the bootstrap machine from the load
balancer after the bootstrap machine initializes the cluster control plane. You
must configure the `/readyz` endpoint for the API server health check probe.
|X
|X
|Kubernetes API server
|`22623`
|Bootstrap and control plane. You remove the bootstrap machine from the load
balancer after the bootstrap machine initializes the cluster control plane.
|X
|
|Machine config server
|===
[NOTE]
====
The load balancer must be configured to take a maximum of 30 seconds from the
time the API server turns off the `/readyz` endpoint to the removal of the API
server instance from the pool. Within the time frame after `/readyz` returns an
error or becomes healthy, the endpoint must have been removed or added. Probing
every 5 or 10 seconds, with two successful requests to become healthy and three
to become unhealthy, are well-tested values.
====
* Application Ingress load balancer: Provides an ingress point for application traffic flowing in from outside the cluster. A working configuration for the Ingress router is required for an {product-title} cluster. Configure the following conditions:
** Layer 4 load balancing only. This can be referred to as Raw TCP or SSL Passthrough mode.
** A connection-based or session-based persistence is recommended, based on the options available and types of applications that will be hosted on the platform.
[TIP]
====
If the true IP address of the client can be seen by the application Ingress load balancer, enabling source IP-based session persistence can improve performance for applications that use end-to-end TLS encryption.
====
Configure the following ports on both the front and back of the load balancers:
.Application Ingress load balancer
[cols="2,5,^2,^2,2",options="header"]
|===
|Port
|Back-end machines (pool members)
|Internal
|External
|Description
|`443`
|The machines that run the Ingress Controller pods, compute, or worker, by default.
|X
|X
|HTTPS traffic
|`80`
|The machines that run the Ingress Controller pods, compute, or worker, by default.
|X
|X
|HTTP traffic
|===
[NOTE]
====
If you are deploying a three-node cluster with zero compute nodes, the Ingress Controller pods run on the control plane nodes. In three-node cluster deployments, you must configure your application Ingress load balancer to route HTTP and HTTPS traffic to the control plane nodes.
====
ifeval::["{context}" == "installing-openstack-installer-custom"]
:!user-managed-lb:
endif::[]
View Git Blame Copy Permalink