$ oc adm policy add-scc-to-user hostnetwork system:serviceaccount:default:router
There are many ways to get traffic into the cluster. The most common approach is to use the OKD router as the ingress point for external traffic destined for services in your OKD installation.
OKD provides and supports the following router plug-ins:
The HAProxy template router is the default plug-in. It uses the openshift/origin-haproxy-router image to run an HAProxy instance alongside the template router plug-in inside a container on OKD. It currently supports HTTP(S) traffic and TLS-enabled traffic via SNI. The router’s container listens on the host network interface, unlike most containers that listen only on private IPs. The router proxies external requests for route names to the IPs of actual pods identified by the service associated with the route.
The F5 router integrates with an existing F5 BIG-IP® system in your environment to synchronize routes. F5 BIG-IP® version 11.4 or newer is required in order to have the F5 iControl REST API.
Router service account must have permissions to a security context constraint (SCC) that allows it to specify host ports.
To add a 'hostnetwork' SCC to the router service account in the default namespace:
$ oc adm policy add-scc-to-user hostnetwork system:serviceaccount:default:router
You can also use 'privileged' SCC for running your router, but it is recommended to use only the necessary SCC for running router. |
When
namespace labels
are used, for example in creating
router shards,
the service account for the router must have cluster-reader
permission.
$ oc adm policy add-cluster-role-to-user \ cluster-reader \ system:serviceaccount:default:router
With a service account in place, you can proceed to installing a default HAProxy Router or a customized HAProxy Router