About Routers

The OKD router is the ingress point for all external traffic destined for services in your OKD installation. OKD provides and supports the following two router plug-ins:

  • The HAProxy template router is the default plug-in. It uses the openshift/origin-haproxy-router image to run an HAProxy instance alongside the template router plug-in inside a container on OKD. It currently supports HTTP(S) traffic and TLS-enabled traffic via SNI. The router’s container listens on the host network interface, unlike most containers that listen only on private IPs. The router proxies external requests for route names to the IPs of actual pods identified by the service associated with the route.

  • The F5 router integrates with an existing F5 BIG-IP® system in your environment to synchronize routes. F5 BIG-IP® version 11.4 or newer is required in order to have the F5 iControl REST API.

Configuring the Router Service Account

Router service account must have permissions to a security context constraint (SCC) that allows it to specify host ports.

To add a 'hostnetwork' SCC to the router service account in the default namespace:

$ oadm policy add-scc-to-user hostnetwork system:serviceaccount:default:router

You can also use the 'privileged' SCC for running your router, but it is recommended to use only the necessary SCC.

Use of labels (e.g., to define router shards) requires cluster-reader permission.

$ oadm policy add-cluster-role-to-user \
    cluster-reader \

With a service account in place, you can proceed to installing a default HAProxy Router, a customized HAProxy Router or F5 Router.