mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
71 lines
3.3 KiB
Plaintext
71 lines
3.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/configuring_ingress_cluster_traffic/configuring-externalip.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="configuration-externalip_{context}"]
|
|
= Configuration for ExternalIP
|
|
|
|
[role="_abstract"]
|
|
You can set parameters in the `Network.config.openshift.io` custom resource (CR) to govern the use of an external IP address in {product-title}.
|
|
|
|
The following list details these parameters:
|
|
|
|
* `spec.externalIP.autoAssignCIDRs` defines an IP address block used by the load balancer when choosing an external IP address for the service. {product-title} supports only a single IP address block for automatic assignment. This configuration requires less steps than manually assigning ExternalIPs to services, which requires managing the port space of a limited number of shared IP addresses. If you enable automatic assignment, the Cloud Controller Manager Operator allocates an external IP address to a `Service` object with `spec.type=LoadBalancer` defind in its configuration.
|
|
|
|
* `spec.externalIP.policy` defines the permissible IP address blocks when manually specifying an IP address. {product-title} does not apply policy rules to IP address blocks that you defined in the `spec.externalIP.autoAssignCIDRs` parameter.
|
|
|
|
If routed correctly, external traffic from the configured external IP address block can reach service endpoints through any TCP or UDP port that the service exposes.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
As a cluster administrator, you must configure routing to externalIPs. You must also ensure that the IP address block you assign terminates at one or more nodes in your cluster. For more information, see link:https://kubernetes.io/docs/concepts/services-networking/service/#external-ips[Kubernetes External IPs].
|
|
====
|
|
|
|
{product-title} supports both automatic and manual IP address assignment. This support guarantees that each address gets assigned to a maximum of one service and that each service can expose its chosen ports regardless of the ports exposed by other services.
|
|
|
|
[NOTE]
|
|
====
|
|
To use IP address blocks defined by `autoAssignCIDRs` in {product-title}, you must configure the necessary IP address assignment and routing for your host network.
|
|
====
|
|
|
|
The following YAML describes a service with an external IP address configured:
|
|
|
|
.Example `Service` object with `spec.externalIPs[]` set
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: http-service
|
|
spec:
|
|
clusterIP: 172.30.163.110
|
|
externalIPs:
|
|
- 192.168.132.253
|
|
externalTrafficPolicy: Cluster
|
|
ports:
|
|
- name: highport
|
|
nodePort: 31903
|
|
port: 30102
|
|
protocol: TCP
|
|
targetPort: 30102
|
|
selector:
|
|
app: web
|
|
sessionAffinity: None
|
|
type: LoadBalancer
|
|
status:
|
|
loadBalancer:
|
|
ingress:
|
|
- ip: 192.168.132.253
|
|
# ...
|
|
----
|
|
|
|
If you run a private cluster on a cloud-provider platform, you can change the publishing scope to `internal` for the load balancer of the Ingress Controller by running the following `patch` command:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc -n openshift-ingress-operator patch ingresscontrollers/ingress-controller-with-nlb --type=merge --patch='{"spec":{"endpointPublishingStrategy":{"loadBalancer":{"scope":"Internal"}}}}'
|
|
----
|
|
|
|
After you run this command, the Ingress Controller restricts access to routes for {product-title} applications to internal networks only.
|