apiVersion: v1
kind: Service
metadata:
name: http-service
spec:
clusterIP: 172.30.163.110
externalIPs:
- 192.168.132.253
externalTrafficPolicy: Cluster
ports:
- name: highport
nodePort: 31903
port: 30102
protocol: TCP
targetPort: 30102
selector:
app: web
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- ip: 192.168.132.253
×
Configuring ExternalIPs for services
As a cluster administrator, you can designate an IP address block that is external to the cluster that can send traffic to services in the cluster.
This functionality is generally most useful for clusters installed on bare-metal hardware.
Prerequisites
-
Your network infrastructure must route traffic for the external IP addresses to your cluster.
About ExternalIP
For non-cloud environments, OKD supports the assignment of external IP addresses to a Service object spec.externalIPs[] field through the ExternalIP facility.
By setting this field, OKD assigns an additional virtual IP address to the service. The IP address can be outside the service network defined for the cluster.
A service configured with an ExternalIP functions similarly to a service with type=NodePort, allowing you to direct traffic to a local node for load balancing.
You must configure your networking infrastructure to ensure that the external IP address blocks that you define are routed to the cluster.
OKD extends the ExternalIP functionality in Kubernetes by adding the following capabilities:
-
Restrictions on the use of external IP addresses by users through a configurable policy
-
Allocation of an external IP address automatically to a service upon request
|
Disabled by default, use of ExternalIP functionality can be a security risk, because in-cluster traffic to an external IP address is directed to that service. This could allow cluster users to intercept sensitive traffic destined for external resources. |
|
This feature is supported only in non-cloud deployments. For cloud deployments, use the load balancer services for automatic deployment of a cloud load balancer to target the endpoints of a service. |
You can assign an external IP address in the following ways:
- Automatic assignment of an external IP
-
OKD automatically assigns an IP address from the
autoAssignCIDRsCIDR block to thespec.externalIPs[]array when you create aServiceobject withspec.type=LoadBalancerset. In this case, OKD implements a non-cloud version of the load balancer service type and assigns IP addresses to the services. Automatic assignment is disabled by default and must be configured by a cluster administrator as described in the following section. - Manual assignment of an external IP
-
OKD uses the IP addresses assigned to the
spec.externalIPs[]array when you create aServiceobject. You cannot specify an IP address that is already in use by another service.
Configuration for ExternalIP
Use of an external IP address in OKD is governed by the following fields in the Network.config.openshift.io CR named cluster:
-
spec.externalIP.autoAssignCIDRsdefines an IP address block used by the load balancer when choosing an external IP address for the service. OKD supports only a single IP address block for automatic assignment. This can be simpler than having to manage the port space of a limited number of shared IP addresses when manually assigning ExternalIPs to services. If automatic assignment is enabled, aServiceobject withspec.type=LoadBalanceris allocated an external IP address. -
spec.externalIP.policydefines the permissible IP address blocks when manually specifying an IP address. OKD does not apply policy rules to IP address blocks defined byspec.externalIP.autoAssignCIDRs.
If routed correctly, external traffic from the configured external IP address block can reach service endpoints through any TCP or UDP port that the service exposes.
|
As a cluster administrator, you must configure routing to externalIPs on both OpenShiftSDN and OVN-Kubernetes network types. You must also ensure that the IP address block you assign terminates at one or more nodes in your cluster. For more information, see Kubernetes External IPs. |
OKD supports both the automatic and manual assignment of IP addresses, and each address is guaranteed to be assigned to a maximum of one service. This ensures that each service can expose its chosen ports regardless of the ports exposed by other services.
|
To use IP address blocks defined by |
The following YAML describes a service with an external IP address configured:
Example
Service object with spec.externalIPs[] setRestrictions on the assignment of an external IP address
As a cluster administrator, you can specify IP address blocks to allow and to reject.
Restrictions apply only to users without cluster-admin privileges. A cluster administrator can always set the service spec.externalIPs[] field to any IP address.
You configure IP address policy with a policy object defined by specifying the spec.ExternalIP.policy field.
The policy object has the following shape:
{
"policy": {
"allowedCIDRs": [],
"rejectedCIDRs": []
}
}When configuring policy restrictions, the following rules apply:
-
If
policy={}is set, then creating aServiceobject withspec.ExternalIPs[]set will fail. This is the default for OKD. The behavior whenpolicy=nullis set is identical. -
If
policyis set and eitherpolicy.allowedCIDRs[]orpolicy.rejectedCIDRs[]is set, the following rules apply:-
If
allowedCIDRs[]andrejectedCIDRs[]are both set, thenrejectedCIDRs[]has precedence overallowedCIDRs[]. -
If
allowedCIDRs[]is set, creating aServiceobject withspec.ExternalIPs[]will succeed only if the specified IP addresses are allowed. -
If
rejectedCIDRs[]is set, creating aServiceobject withspec.ExternalIPs[]will succeed only if the specified IP addresses are not rejected.
-
Example policy objects
The examples that follow demonstrate several different policy configurations.
-
In the following example, the policy prevents OKD from creating any service with an external IP address specified:
Example policy to reject any value specified forServiceobjectspec.externalIPs[]apiVersion: config.openshift.io/v1 kind: Network metadata: name: cluster spec: externalIP: policy: {} ... -
In the following example, both the
allowedCIDRsandrejectedCIDRsfields are set.Example policy that includes both allowed and rejected CIDR blocksapiVersion: config.openshift.io/v1 kind: Network metadata: name: cluster spec: externalIP: policy: allowedCIDRs: - 172.16.66.10/23 rejectedCIDRs: - 172.16.66.10/24 ... -
In the following example,
policyis set tonull. If set tonull, when inspecting the configuration object by enteringoc get networks.config.openshift.io -o yaml, thepolicyfield will not appear in the output.Example policy to allow any value specified forServiceobjectspec.externalIPs[]apiVersion: config.openshift.io/v1 kind: Network metadata: name: cluster spec: externalIP: policy: null ...
ExternalIP address block configuration
The configuration for ExternalIP address blocks is defined by a Network custom resource (CR) named cluster. The Network CR is part of the config.openshift.io API group.
|
During cluster installation, the Cluster Version Operator (CVO) automatically creates a Network CR named |
The following YAML describes the ExternalIP configuration:
Network.config.openshift.io CR named
clusterapiVersion: config.openshift.io/v1
kind: Network
metadata:
name: cluster
spec:
externalIP:
autoAssignCIDRs: [] (1)
policy: (2)
...| 1 | Defines the IP address block in CIDR format that is available for automatic assignment of external IP addresses to a service. Only a single IP address range is allowed. |
| 2 | Defines restrictions on manual assignment of an IP address to a service.
If no restrictions are defined, specifying the spec.externalIP field in a Service object is not allowed.
By default, no restrictions are defined. |
The following YAML describes the fields for the policy stanza:
Network.config.openshift.io
policy stanzapolicy:
allowedCIDRs: [] (1)
rejectedCIDRs: [] (2)| 1 | A list of allowed IP address ranges in CIDR format. |
| 2 | A list of rejected IP address ranges in CIDR format. |
Example external IP configurations
Several possible configurations for external IP address pools are displayed in the following examples:
-
The following YAML describes a configuration that enables automatically assigned external IP addresses:
Example configuration withspec.externalIP.autoAssignCIDRssetapiVersion: config.openshift.io/v1 kind: Network metadata: name: cluster spec: ... externalIP: autoAssignCIDRs: - 192.168.132.254/29 -
The following YAML configures policy rules for the allowed and rejected CIDR ranges:
Example configuration withspec.externalIP.policysetapiVersion: config.openshift.io/v1 kind: Network metadata: name: cluster spec: ... externalIP: policy: allowedCIDRs: - 192.168.132.0/29 - 192.168.132.8/29 rejectedCIDRs: - 192.168.132.7/32
Configure external IP address blocks for your cluster
As a cluster administrator, you can configure the following ExternalIP settings:
-
An ExternalIP address block used by OKD to automatically populate the
spec.clusterIPfield for aServiceobject. -
A policy object to restrict what IP addresses may be manually assigned to the
spec.clusterIParray of aServiceobject.
Prerequisites
-
Install the OpenShift CLI (
oc). -
Access to the cluster as a user with the
cluster-adminrole.
Procedure
-
Optional: To display the current external IP configuration, enter the following command:
$ oc describe networks.config cluster -
To edit the configuration, enter the following command:
$ oc edit networks.config cluster -
Modify the ExternalIP configuration, as in the following example:
apiVersion: config.openshift.io/v1 kind: Network metadata: name: cluster spec: ... externalIP: (1) ...1 Specify the configuration for the externalIPstanza. -
To confirm the updated ExternalIP configuration, enter the following command:
$ oc get networks.config cluster -o go-template='{{.spec.externalIP}}{{"\n"}}'