$ oc new-project hello-openshift- Documentation
- OKD
- Networking
- Configuring Routes
- Route configuration
- About
- What's new?
- Architecture
-
Installing
- Installation overview
- Selecting an installation method and preparing a cluster
- Cluster capabilities
- Disconnected installation mirroring
- Installing on Alibaba
-
Installing on AWS
- Preparing to install on AWS
- Configuring an AWS account
- Manually creating IAM
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS in a restricted network
- Installing a cluster on AWS into an existing VPC
- Installing a private cluster on AWS
- Installing a cluster on AWS into a government region
- Installing a cluster on AWS into a Secret or Top Secret Region
- Installing a cluster on AWS into a China region
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster using AWS Local Zones
- Installing a cluster on AWS in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on AWS
-
Installing on Azure
- Preparing to install on Azure
- Configuring an Azure account
- Manually creating IAM
- Enabling user-managed encryption on Azure
- Installing a cluster quickly on Azure
- Installing a cluster on Azure with customizations
- Installing a cluster on Azure with network customizations
- Installing a cluster on Azure into an existing VNet
- Installing a private cluster on Azure
- Installing a cluster on Azure into a government region
- Installing a cluster on Azure using ARM templates
- Uninstalling a cluster on Azure
-
Installing on Azure Stack Hub
- Preparing to install on Azure Stack Hub
- Configuring an Azure Stack Hub account
- Installing a cluster on Azure Stack Hub with an installer-provisioned infrastructure
- Installing a cluster on Azure Stack Hub with network customizations
- Installing a cluster on Azure Stack Hub using ARM templates
- Uninstalling a cluster on Azure Stack Hub
-
Installing on GCP
- Preparing to install on GCP
- Configuring a GCP project
- Manually creating IAM
- Installing a cluster quickly on GCP
- Installing a cluster on GCP with customizations
- Installing a cluster on GCP with network customizations
- Installing a cluster on GCP in a restricted network
- Installing a cluster on GCP into an existing VPC
- Installing a cluster on GCP into a shared VPC
- Installing a private cluster on GCP
- Installing a cluster on GCP using Deployment Manager templates
- Installing a cluster into a shared VPC on GCP using Deployment Manager templates
- Installing a cluster on GCP in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on GCP
-
Installing on IBM Cloud VPC
- Preparing to install on IBM Cloud VPC
- Configuring an IBM Cloud account
- Configuring IAM for IBM Cloud VPC
- Installing a cluster on IBM Cloud VPC with customizations
- Installing a cluster on IBM Cloud VPC with network customizations
- Installing a cluster on IBM Cloud VPC into an existing VPC
- Installing a private cluster on IBM Cloud VPC
- Uninstalling a cluster on IBM Cloud VPC
- Installing on Nutanix
- Installing on bare metal
- Deploying installer-provisioned clusters on bare metal
- Installing bare metal clusters on IBM Cloud
-
Installing on OpenStack
- Preparing to install on OpenStack
- Preparing to install a cluster that uses SR-IOV or OVS-DPDK on OpenStack
- Installing a cluster on OpenStack with customizations
- Installing a cluster on OpenStack with Kuryr
- Installing a cluster on OpenStack on your own infrastructure
- Installing a cluster on OpenStack with Kuryr on your own infrastructure
- Installing a cluster on OpenStack in a restricted network
- OpenStack Cloud Controller Manager reference guide
- Uninstalling a cluster on OpenStack
- Uninstalling a cluster on OpenStack from your own infrastructure
- Installing on oVirt
-
Installing on vSphere
- Preparing to install on vSphere
- Installing a cluster on vSphere
- Installing a cluster on vSphere with customizations
- Installing a cluster on vSphere with network customizations
- Installing a cluster on vSphere with user-provisioned infrastructure
- Installing a cluster on vSphere with user-provisioned infrastructure and network customizations
- Installing a cluster on vSphere in a restricted network
- Installing a cluster on vSphere in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on vSphere that uses installer-provisioned infrastructure
- Using the vSphere Problem Detector Operator
-
Installing on VMC
- Preparing to install on VMC
- Installing a cluster on VMC
- Installing a cluster on VMC with customizations
- Installing a cluster on VMC with network customizations
- Installing a cluster on VMC in a restricted network
- Installing a cluster on VMC with user-provisioned infrastructure
- Installing a cluster on VMC with user-provisioned infrastructure and network customizations
- Installing a cluster on VMC in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on VMC
- Installing on any platform
- Installation configuration
- Validating an installation
- Troubleshooting installation issues
-
Post-installation configuration
- Configuring a private cluster
- Bare metal configuration
- Configuring multi-architecture compute machines on an OpenShift cluster
- Machine configuration tasks
- Cluster tasks
- Node tasks
- Network configuration
- Storage configuration
- Preparing for users
- Configuring alert notifications
- Converting a connected cluster to a disconnected cluster
- Enabling cluster capabilities
- Configuring additional devices in an IBM Z or LinuxONE environment
- Fedora CoreOS (FCOS) image layering
-
Updating clusters
- Updating clusters overview
- Understanding OpenShift updates
- Understanding upgrade channels
- Understanding OpenShift update duration
- Preparing to update to OKD 4.12
- Preparing to perform an EUS-to-EUS update
- Updating a cluster using the web console
- Updating a cluster using the CLI
- Performing update using canary rollout strategy
- Updating hardware on nodes running on vSphere
-
Support
- Support overview
- Managing your cluster resources
-
Remote health monitoring with connected clusters
- About remote health monitoring
- Showing data collected by remote health monitoring
- Opting out of remote health reporting
- Enabling remote health reporting
- Using Insights to identify issues with your cluster
- Using Insights Operator
- Using remote health reporting in a restricted network
- Importing simple content access certificates with Insights Operator
- Gathering data about your cluster
- Summarizing cluster specifications
-
Troubleshooting
- Troubleshooting installations
- Verifying node health
- Troubleshooting CRI-O container runtime issues
- Troubleshooting operating system issues
- Troubleshooting network issues
- Troubleshooting Operator issues
- Investigating pod issues
- Troubleshooting the Source-to-Image process
- Troubleshooting storage issues
- Troubleshooting Windows container workload issues
- Investigating monitoring issues
- Diagnosing OpenShift CLI (oc) issues
- Web console
- CLI tools
-
Security and compliance
- Security and compliance overview
-
Container security
- Understanding container security
- Understanding host and VM security
- Container image signatures
- Hardening Fedora CoreOS
- Understanding compliance
- Securing container content
- Using container registries securely
- Securing the build process
- Deploying containers
- Securing the container platform
- Securing networks
- Securing attached storage
- Monitoring cluster events and logs
- Configuring certificates
-
Certificate types and descriptions
- User-provided certificates for the API server
- Proxy certificates
- Service CA certificates
- Node certificates
- Bootstrap certificates
- etcd certificates
- OLM certificates
- Aggregated API client certificates
- Machine Config Operator certificates
- User-provided certificates for default ingress
- Ingress certificates
- Monitoring and cluster logging Operator component certificates
- Control plane certificates
-
Compliance Operator
- Compliance Operator release notes
- Supported compliance profiles
- Installing the Compliance Operator
- Compliance Operator scans
- Understanding the Compliance Operator
- Managing the Compliance Operator
- Tailoring the Compliance Operator
- Retrieving Compliance Operator raw results
- Managing Compliance Operator remediation
- Performing advanced Compliance Operator tasks
- Troubleshooting the Compliance Operator
- Uninstalling the Compliance Operator
- Using the oc-compliance plugin
- Understanding the Custom Resource Definitions
- File Integrity Operator
-
Security Profiles Operator
- Security Profiles Operator overview
- Security Profiles Operator release notes
- Understanding the Security Profiles Operator
- Enabling the Security Profiles Operator
- Managing seccomp profiles
- Managing SELinux profiles
- Advanced Security Profiles Operator tasks
- Troubleshooting the Security Profiles Operator
- Uninstalling the Security Profiles Operator
- Viewing audit logs
- Configuring the audit log policy
- Configuring TLS security profiles
- Configuring seccomp profiles
- Allowing JavaScript-based access to the API server from additional hosts
- Encrypting etcd data
- Scanning pods for vulnerabilities
- Network-Bound Disk Encryption (NBDE)
-
Authentication and authorization
- Authentication and authorization overview
- Understanding authentication
- Configuring the internal OAuth server
- Configuring OAuth clients
- Managing user-owned OAuth access tokens
- Understanding identity provider configuration
-
Configuring identity providers
- Configuring an htpasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Using bound service account tokens
- Managing security context constraints
- Understanding and managing pod security admission
- Impersonating the system:admin user
- Syncing LDAP groups
- Managing cloud provider credentials
-
Networking
- About networking
- Understanding networking
- Accessing hosts
- Networking Operators overview
- Understanding the Cluster Network Operator
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Understanding the Ingress Node Firewall Operator
- Configuring the Ingress Controller for manual DNS management
- Configuring the Ingress Controller endpoint publishing strategy
- Verifying connectivity to an endpoint
- Changing the cluster network MTU
- Configuring the node port service range
- Configuring IP failover
- Configuring interface-level network sysctls
- Using SCTP
- Using PTP hardware
-
External DNS Operator
- Understanding the External DNS Operator
- Installing the External DNS Operator
- External DNS Operator configuration parameters
- Creating DNS records on an public hosted zone for AWS
- Creating DNS records on an public zone for Azure
- Creating DNS records on an public managed zone for GCP
- Creating DNS records on a public DNS zone for Infoblox
- Network policy
-
AWS Load Balancer Operator
- Understanding the AWS Load Balancer Operator
- Installing the AWS Load Balancer Operator
- Installing the AWS Load Balancer Operator on Secure Token Service cluster
- Creating an instance of the AWS Load Balancer Controller
- Serving Multiple Ingresses through a single AWS Load Balancer
- Adding TLS termination on the AWS Load Balancer
-
Multiple networks
- Understanding multiple networks
- Configuring an additional network
- About virtual routing and forwarding
- Configuring multi-network policy
- Attaching a pod to an additional network
- Removing a pod from an additional network
- Editing an additional network
- Removing an additional network
- Assigning a secondary network to a VRF
-
Hardware networks
- About Single Root I/O Virtualization (SR-IOV) hardware networks
- Installing the SR-IOV Operator
- Configuring the SR-IOV Operator
- Configuring an SR-IOV network device
- Configuring an SR-IOV Ethernet network attachment
- Configuring an SR-IOV InfiniBand network attachment
- Adding a pod to an SR-IOV network
- Tuning sysctl settings on an SR-IOV network
- Using high performance multicast
- Using DPDK and RDMA
- Using pod-level bonding for secondary networks
- Configuring hardware offloading
- Switching Bluefield-2 from NIC to DPU mode
- Uninstalling the SR-IOV Operator
-
OVN-Kubernetes network plugin
- About the OVN-Kubernetes network plugin
- Migrating from the OpenShift SDN network plugin
- Rolling back to the OpenShift SDN network plugin
- Converting to IPv4/IPv6 dual stack networking
- Logging for egress firewall and network policy rules
- Configuring IPsec encryption
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Configuring an egress IP address
- Assigning an egress IP address
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Enabling multicast for a project
- Disabling multicast for a project
- Tracking network flows
- Configuring hybrid networking
-
OpenShift SDN network plugin
- About the OpenShift SDN network plugin
- Configuring egress IPs for a project
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Deploying an egress router pod in HTTP proxy mode
- Deploying an egress router pod in DNS proxy mode
- Configuring an egress router pod destination list from a config map
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring multitenant isolation
- Configuring kube-proxy
- Configuring Routes
-
Configuring ingress cluster traffic
- Overview
- Configuring ExternalIPs for services
- Configuring ingress cluster traffic using an Ingress Controller
- Configuring ingress cluster traffic using a load balancer
- Configuring ingress cluster traffic on AWS
- Configuring ingress cluster traffic using a service external IP
- Configuring ingress cluster traffic using a NodePort
- Configuring ingress cluster traffic using load balancer allowed source ranges
- Kubernetes NMState
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Load balancing on OpenStack
-
Load balancing with MetalLB
- About MetalLB and the MetalLB Operator
- Installing the MetalLB Operator
- Upgrading the MetalLB Operator
- Configuring MetalLB address pools
- Advertising the IP address pools
- Configuring MetalLB BGP peers
- Advertising an IP address pool using the community alias
- Configuring MetalLB BFD profiles
- Configuring services to use MetalLB
- MetalLB logging, troubleshooting, and support
- Associating secondary interfaces metrics to network attachments
- Network Observability
-
Storage
- Storage overview
- Understanding ephemeral storage
- Understanding persistent storage
-
Configuring persistent storage
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Data Foundation
- Persistent storage using VMware vSphere
-
Using Container Storage Interface (CSI)
- Configuring CSI volumes
- CSI inline ephemeral volumes
- Shared Resource CSI Driver Operator
- CSI volume snapshots
- CSI volume cloning
- CSI automatic migration
- AliCloud Disk CSI Driver Operator
- AWS Elastic Block Store CSI Driver Operator
- AWS Elastic File Service CSI Driver Operator
- Azure Disk CSI Driver Operator
- Azure File CSI Driver Operator
- Azure Stack Hub CSI Driver Operator
- GCP PD CSI Driver Operator
- GCP Filestore CSI Driver Operator
- IBM VPC Block CSI Driver Operator
- OpenStack Cinder CSI Driver Operator
- OpenStack Manila CSI Driver Operator
- Red Hat Virtualization CSI Driver Operator
- VMware vSphere CSI Driver Operator
- Generic ephemeral volumes
- Expanding persistent volumes
- Dynamic provisioning
-
Registry
- Registry overview
- Image Registry Operator in OKD
-
Setting up and configuring the registry
- Configuring the registry for AWS user-provisioned infrastructure
- Configuring the registry for GCP user-provisioned infrastructure
- Configuring the registry for OpenStack user-provisioned infrastructure
- Configuring the registry for Azure user-provisioned infrastructure
- Configuring the registry for OpenStack
- Configuring the registry for bare metal
- Configuring the registry for vSphere
- Configuring the registry for OpenShift Data Foundation
- Accessing the registry
- Exposing the registry
-
Operators
- Operators overview
- Understanding Operators
- User tasks
-
Administrator tasks
- Adding Operators to a cluster
- Updating installed Operators
- Deleting Operators from a cluster
- Configuring OLM features
- Configuring proxy support
- Viewing Operator status
- Managing Operator conditions
- Allowing non-cluster administrators to install Operators
- Managing custom catalogs
- Using OLM on restricted networks
- Managing platform Operators
-
Developing Operators
- About the Operator SDK
- Installing the Operator SDK CLI
- Go-based Operators
- Ansible-based Operators
- Helm-based Operators
- Java-based Operators
- Defining cluster service versions (CSVs)
- Working with bundle images
- Validating Operators using the scorecard
- Validating Operator bundles
- High-availability or single-node cluster detection and support
- Configuring built-in monitoring with Prometheus
- Configuring leader election
- Object pruning utility
- Migrating package manifest projects to bundle format
- Operator SDK CLI reference
- Migrating to Operator SDK v0.1.0
- Cluster Operators reference
-
CI/CD
- CI/CD overview
-
Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing and configuring basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
-
Images
- Overview of images
- Configuring the Cluster Samples Operator
- Using the Cluster Samples Operator with an alternate registry
- Creating images
- Managing images
- Managing image streams
- Using image streams with Kubernetes resources
- Triggering updates on image stream changes
- Image configuration resources
- Using templates
- Using Ruby on Rails
- Using images
-
Building applications
- Building applications overview
- Projects
- Creating applications
- Viewing application composition using the Topology view
-
Connecting applications to services
- Service Binding Operator release notes
- Understanding Service Binding Operator
- Installing Service Binding Operator
- Getting started with service binding
- Getting started with service binding on IBM Power, IBM Z, and LinuxONE
- Exposing binding data from a service
- Projecting binding data
- Binding workloads using Service Binding Operator
- Connecting an application to a service using the Developer perspective
- Working with Helm charts
- Deployments
- Quotas
- Using config maps with applications
- Monitoring project and application metrics using the Developer perspective
- Monitoring application health
- Editing applications
- Pruning objects to reclaim resources
- Idling applications
- Deleting applications
- Using the Red Hat Marketplace
-
Machine management
- Overview of machine management
-
Creating compute machine sets
- Creating a compute machine set on Alibaba Cloud
- Creating a compute machine set on AWS
- Creating a compute machine set on Azure
- Creating a compute machine set on Azure Stack Hub
- Creating a compute machine set on GCP
- Creating a compute machine set on IBM Cloud
- Creating a compute machine set on Nutanix
- Creating a compute machine set on OpenStack
- Creating a compute machine set on oVirt
- Creating a compute machine set on vSphere
- Manually scaling a compute machine set
- Modifying a compute machine set
- Deleting a machine
- Applying autoscaling to a cluster
- Creating infrastructure machine sets
- User-provisioned infrastructure
- Managing machines with the Cluster API
- Managing control plane machines
- Deploying machine health checks
-
Nodes
- Overview of nodes
-
Working with pods
- About pods
- Viewing pods
- Configuring a cluster for pods
- Automatically scaling pods with the horizontal pod autoscaler
- Automatically scaling pods with the custom metrics autoscaler
- Automatically adjust pod resource levels with the vertical pod autoscaler
- Providing sensitive data to pods
- Creating and using config maps
- Using Device Manager to make devices available to nodes
- Including pod priority in pod scheduling decisions
- Placing pods on specific nodes using node selectors
-
Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Scheduling pods using a scheduler profile
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Controlling pod placement using pod topology spread constraints
- Evicting pods using the descheduler
- Secondary scheduler
- Using Jobs and DaemonSets
-
Working with nodes
- Viewing and listing the nodes in your cluster
- Working with nodes
- Managing nodes
- Managing the maximum number of pods per node
- Using the Node Tuning Operator
- Remediation, fencing, and maintenance
- Understanding node rebooting
- Freeing node resources using garbage collection
- Allocating resources for nodes
- Allocating specific CPUs for nodes in a cluster
- Configuring the TLS security profile for the kubelet
- Machine Config Daemon metrics
- Creating infrastructure nodes
-
Working with containers
- Understanding containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
-
Working with clusters
- Viewing system event information in a cluster
- Analyzing cluster resource levels
- Setting limit ranges
- Configuring cluster memory to meet container memory and risk requirements
- Configuring your cluster to place pods on overcommited nodes
- Configuring the Linux cgroup on your nodes
- Enabling features using FeatureGates
- Improving cluster stability in high latency environments using worker latency profiles
-
Windows Container Support for OpenShift
- Red Hat OpenShift support for Windows Containers overview
- Red Hat OpenShift support for Windows Containers release notes
- Understanding Windows container workloads
- Enabling Windows container workloads
- Creating Windows MachineSet objects
- Scheduling Windows container workloads
- Windows node upgrades
- Using Bring-Your-Own-Host Windows instances as nodes
- Removing Windows nodes
- Disabling Windows container workloads
-
Logging
- Release notes
- About Logging
- Installing Logging
-
Configuring your Logging deployment
- About the Cluster Logging custom resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring Logging storage
- Configuring CPU and memory limits for Logging components
- Using tolerations to control Logging pod placement
- Moving the Logging resources with node selectors
- Configuring systemd-journald for Logging
- Maintenance and support
- Logging with the LokiStack
- Viewing logs for a specific resource
- Viewing cluster logs in Kibana
- Forwarding logs to third party systems
- Enabling JSON logging
- Collecting and storing Kubernetes events
- Updating Logging
- Viewing cluster dashboards
- Troubleshooting Logging
- Uninstalling Logging
- Exported fields
-
Monitoring
- Monitoring overview
- Configuring the monitoring stack
- Enabling monitoring for user-defined projects
- Enabling alert routing for user-defined projects
- Managing metrics
- Querying metrics
- Managing metrics targets
- Managing alerts
- Reviewing monitoring dashboards
- The NVIDIA GPU administration dashboard
- Monitoring bare-metal events
- Accessing third-party monitoring APIs
- Troubleshooting monitoring issues
- Config map reference for the Cluster Monitoring Operator
-
Scalability and performance
- Recommended performance and scalability practices
- Using the Node Tuning Operator
- Using CPU Manager
- Using Topology Manager
- Scheduling NUMA-aware workloads
- Scaling the Cluster Monitoring Operator
- Planning your environment according to object maximums
- Optimizing storage
- Optimizing routing
- Optimizing networking
- Optimizing CPU usage
- Managing bare metal hosts
- What huge pages do and how they are consumed by apps
- Low latency tuning
- Performing latency tests for platform verification
- Improving cluster stability in high latency environments using worker latency profiles
- Topology Aware Lifecycle Manager for cluster updates
- Creating a performance profile
- Workload partitioning in single-node OpenShift
- Requesting CRI-O and Kubelet profiling data by using the Node Observability Operator
-
Clusters at the network far edge
- Challenges of the network far edge
- Preparing the hub cluster for ZTP
- Installing managed clusters with RHACM and SiteConfig resources
- Configuring managed clusters with policies and PolicyGenTemplate resources
- Manually installing a single-node OpenShift cluster with ZTP
- Recommended single-node OpenShift cluster configuration for vDU application workloads
- Validating cluster tuning for vDU application workloads
- Advanced managed cluster configuration with SiteConfig resources
- Advanced managed cluster configuration with PolicyGenTemplate resources
- Updating managed clusters with the Topology Aware Lifecycle Manager
- Updating GitOps ZTP
- Expanding single-node OpenShift clusters with GitOps ZTP
- Pre-caching images for single-node OpenShift deployments
- Specialized hardware and driver enablement
-
Backup and restore
- Overview of backup and restore operations
- Shutting down a cluster gracefully
- Restarting a cluster gracefully
- Application backup and restore
- Control plane backup and restore
-
Migrating from version 3 to 4
- Migrating from version 3 to 4 overview
- About migrating from OKD 3 to 4
- Differences between OKD 3 and 4
- Network considerations
- About MTC
- Installing MTC
- Installing MTC in a restricted network environment
- Upgrading MTC
- Premigration checklists
- Migrating your applications
- Advanced migration options
- Troubleshooting
- Migration Toolkit for Containers
-
API reference
- Understanding API tiers
- API compatibility guidelines
- Editing kubelet log level verbosity and gathering logs
- API list
- Common object reference
-
Authorization APIs
- About Authorization APIs
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- TokenRequest [authentication.k8s.io/v1]
- TokenReview [authentication.k8s.io/v1]
- LocalSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectRulesReview [authorization.k8s.io/v1]
- SubjectAccessReview [authorization.k8s.io/v1]
- Autoscale APIs
-
Config APIs
- About Config APIs
- APIServer [config.openshift.io/v1]
- Authentication [config.openshift.io/v1]
- Build [config.openshift.io/v1]
- ClusterOperator [config.openshift.io/v1]
- ClusterVersion [config.openshift.io/v1]
- Console [config.openshift.io/v1]
- DNS [config.openshift.io/v1]
- FeatureGate [config.openshift.io/v1]
- HelmChartRepository [helm.openshift.io/v1beta1]
- Image [config.openshift.io/v1]
- ImageContentPolicy [config.openshift.io/v1]
- Infrastructure [config.openshift.io/v1]
- Ingress [config.openshift.io/v1]
- Network [config.openshift.io/v1]
- Node [config.openshift.io/v1]
- OAuth [config.openshift.io/v1]
- OperatorHub [config.openshift.io/v1]
- Project [config.openshift.io/v1]
- ProjectHelmChartRepository [helm.openshift.io/v1beta1]
- Proxy [config.openshift.io/v1]
- Scheduler [config.openshift.io/v1]
-
Console APIs
- About Console APIs
- ConsoleCLIDownload [console.openshift.io/v1]
- ConsoleExternalLogLink [console.openshift.io/v1]
- ConsoleLink [console.openshift.io/v1]
- ConsoleNotification [console.openshift.io/v1]
- ConsolePlugin [console.openshift.io/v1]
- ConsoleQuickStart [console.openshift.io/v1]
- ConsoleYAMLSample [console.openshift.io/v1]
- Extension APIs
-
Image APIs
- About Image APIs
- Image [image.openshift.io/v1]
- ImageSignature [image.openshift.io/v1]
- ImageStreamImage [image.openshift.io/v1]
- ImageStreamImport [image.openshift.io/v1]
- ImageStreamLayers [image.openshift.io/v1]
- ImageStreamMapping [image.openshift.io/v1]
- ImageStream [image.openshift.io/v1]
- ImageStreamTag [image.openshift.io/v1]
- ImageTag [image.openshift.io/v1]
- SecretList [image.openshift.io/v1]
-
Machine APIs
- About Machine APIs
- ContainerRuntimeConfig [machineconfiguration.openshift.io/v1]
- ControllerConfig [machineconfiguration.openshift.io/v1]
- ControlPlaneMachineSet [machine.openshift.io/v1]
- KubeletConfig [machineconfiguration.openshift.io/v1]
- MachineConfigPool [machineconfiguration.openshift.io/v1]
- MachineConfig [machineconfiguration.openshift.io/v1]
- MachineHealthCheck [machine.openshift.io/v1beta1]
- Machine [machine.openshift.io/v1beta1]
- MachineSet [machine.openshift.io/v1beta1]
- Metadata APIs
-
Monitoring APIs
- About Monitoring APIs
- Alertmanager [monitoring.coreos.com/v1]
- AlertmanagerConfig [monitoring.coreos.com/v1beta1]
- PodMonitor [monitoring.coreos.com/v1]
- Probe [monitoring.coreos.com/v1]
- Prometheus [monitoring.coreos.com/v1]
- PrometheusRule [monitoring.coreos.com/v1]
- ServiceMonitor [monitoring.coreos.com/v1]
- ThanosRuler [monitoring.coreos.com/v1]
-
Network APIs
- About Network APIs
- CloudPrivateIPConfig [cloud.network.openshift.io/v1]
- EgressFirewall [k8s.ovn.org/v1]
- EgressIP [k8s.ovn.org/v1]
- EgressQoS [k8s.ovn.org/v1]
- Endpoints [undefined/v1]
- EndpointSlice [discovery.k8s.io/v1]
- EgressRouter [network.operator.openshift.io/v1]
- Ingress [networking.k8s.io/v1]
- IngressClass [networking.k8s.io/v1]
- IPPool [whereabouts.cni.cncf.io/v1alpha1]
- NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]
- NetworkPolicy [networking.k8s.io/v1]
- OverlappingRangeIPReservation [whereabouts.cni.cncf.io/v1alpha1]
- PodNetworkConnectivityCheck [controlplane.operator.openshift.io/v1alpha1]
- Route [route.openshift.io/v1]
- Service [undefined/v1]
- Node APIs
- OAuth APIs
-
Operator APIs
- About Operator APIs
- Authentication [operator.openshift.io/v1]
- CloudCredential [operator.openshift.io/v1]
- ClusterCSIDriver [operator.openshift.io/v1]
- Console [operator.openshift.io/v1]
- Config [operator.openshift.io/v1]
- Config [imageregistry.operator.openshift.io/v1]
- Config [samples.operator.openshift.io/v1]
- CSISnapshotController [operator.openshift.io/v1]
- DNS [operator.openshift.io/v1]
- DNSRecord [ingress.operator.openshift.io/v1]
- Etcd [operator.openshift.io/v1]
- ImageContentSourcePolicy [operator.openshift.io/v1alpha1]
- ImagePruner [imageregistry.operator.openshift.io/v1]
- IngressController [operator.openshift.io/v1]
- InsightsOperator [operator.openshift.io/v1]
- KubeAPIServer [operator.openshift.io/v1]
- KubeControllerManager [operator.openshift.io/v1]
- KubeScheduler [operator.openshift.io/v1]
- KubeStorageVersionMigrator [operator.openshift.io/v1]
- Network [operator.openshift.io/v1]
- OpenShiftAPIServer [operator.openshift.io/v1]
- OpenShiftControllerManager [operator.openshift.io/v1]
- OperatorPKI [network.operator.openshift.io/v1]
- ServiceCA [operator.openshift.io/v1]
- Storage [operator.openshift.io/v1]
-
OperatorHub APIs
- About OperatorHub APIs
- CatalogSource [operators.coreos.com/v1alpha1]
- ClusterServiceVersion [operators.coreos.com/v1alpha1]
- InstallPlan [operators.coreos.com/v1alpha1]
- OLMConfig [operators.coreos.com/v1]
- Operator [operators.coreos.com/v1]
- OperatorCondition [operators.coreos.com/v2]
- OperatorGroup [operators.coreos.com/v1]
- PackageManifest [packages.operators.coreos.com/v1]
- Subscription [operators.coreos.com/v1alpha1]
- Policy APIs
- Project APIs
- Provisioning APIs
- RBAC APIs
- Role APIs
-
Schedule and quota APIs
- About Schedule and quota APIs
- AppliedClusterResourceQuota [quota.openshift.io/v1]
- ClusterResourceQuota [quota.openshift.io/v1]
- FlowSchema [flowcontrol.apiserver.k8s.io/v1beta1]
- LimitRange [undefined/v1]
- PriorityClass [scheduling.k8s.io/v1]
- PriorityLevelConfiguration [flowcontrol.apiserver.k8s.io/v1beta1]
- ResourceQuota [undefined/v1]
-
Security APIs
- About Security APIs
- CertificateSigningRequest [certificates.k8s.io/v1]
- CredentialsRequest [cloudcredential.openshift.io/v1]
- PodSecurityPolicyReview [security.openshift.io/v1]
- PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- PodSecurityPolicySubjectReview [security.openshift.io/v1]
- RangeAllocation [security.openshift.io/v1]
- Secret [undefined/v1]
- SecurityContextConstraints [security.openshift.io/v1]
- ServiceAccount [undefined/v1]
-
Storage APIs
- About Storage APIs
- CSIDriver [storage.k8s.io/v1]
- CSINode [storage.k8s.io/v1]
- CSIStorageCapacity [storage.k8s.io/v1]
- PersistentVolumeClaim [undefined/v1]
- StorageClass [storage.k8s.io/v1]
- StorageState [migration.k8s.io/v1alpha1]
- StorageVersionMigration [migration.k8s.io/v1alpha1]
- VolumeAttachment [storage.k8s.io/v1]
- VolumeSnapshot [snapshot.storage.k8s.io/v1]
- VolumeSnapshotClass [snapshot.storage.k8s.io/v1]
- VolumeSnapshotContent [snapshot.storage.k8s.io/v1]
- Template APIs
- User and group APIs
-
Workloads APIs
- About Workloads APIs
- BuildConfig [build.openshift.io/v1]
- Build [build.openshift.io/v1]
- BuildLog [build.openshift.io/v1]
- BuildRequest [build.openshift.io/v1]
- CronJob [batch/v1]
- DaemonSet [apps/v1]
- Deployment [apps/v1]
- DeploymentConfig [apps.openshift.io/v1]
- DeploymentConfigRollback [apps.openshift.io/v1]
- DeploymentLog [apps.openshift.io/v1]
- DeploymentRequest [apps.openshift.io/v1]
- Job [batch/v1]
- Pod [undefined/v1]
- ReplicationController [undefined/v1]
- PersistentVolume [undefined/v1]
- ReplicaSet [apps/v1]
- StatefulSet [apps/v1]
-
Virtualization
- About OpenShift Virtualization
- About OKD Virtualization
- Getting started with OKD Virtualization
- Installing
- Updating OKD Virtualization
- Security policies
- Using the CLI tools
-
Virtual machines
- Creating virtual machines
- Editing virtual machines
- Editing boot order
- Deleting virtual machines
- Exporting virtual machines
- Managing virtual machine instances
- Controlling virtual machine states
- Accessing virtual machine consoles
- Automating Windows installation with sysprep
- Triggering virtual machine failover by resolving a failed node
- Installing the QEMU guest agent on virtual machines
- Viewing the QEMU guest agent information for virtual machines
- Managing config maps, secrets, and service accounts in virtual machines
- Installing VirtIO driver on an existing Windows virtual machine
- Installing VirtIO driver on a new Windows virtual machine
- Using virtual Trusted Platform Module devices
- Managing virtual machines with OpenShift Pipelines
-
Advanced virtual machine management
- Working with resource quotas for virtual machines
- Specifying nodes for virtual machines
- Configuring certificate rotation
- UEFI mode for virtual machines
- Configuring PXE booting for virtual machines
- Using huge pages with virtual machines
- Enabling dedicated resources for a virtual machine
- Scheduling virtual machines
- Configuring PCI passthrough
- Configuring vGPU passthrough
- Configuring mediated devices
- Configuring a watchdog device
- Automatic importing and updating of pre-defined boot sources
- Enabling descheduler evictions on virtual machines
- Importing virtual machines
- Cloning virtual machines
-
Virtual machine networking
- Configuring a virtual machine for the default pod network with OKD Virtualization
- Creating a service to expose a virtual machine
- Connecting a virtual machine to a Linux bridge network
- Connecting a virtual machine to an SR-IOV network
- Connecting a virtual machine to a service mesh
- Configuring IP addresses for virtual machines
- Viewing the IP address of NICs on a virtual machine
- Using a MAC address pool for virtual machines
-
Virtual machine disks
- Features for storage
- Configuring local storage for virtual machines
- Creating data volumes
- Reserving PVC space for file system overhead
- Configuring CDI to work with namespaces that have a compute resource quota
- Managing data volume annotations
- Using preallocation for data volumes
- Uploading local disk images by using the web console
- Uploading local disk images by using the virtctl tool
- Uploading a local disk image to a block storage data volume
- Managing virtual machine snapshots
- Moving a local virtual machine disk to a different node
- Expanding virtual storage by adding blank disk images
- Cloning a data volume using smart-cloning
- Creating and using boot sources
- Hot plugging virtual disks
- Using container disks with virtual machines
- Preparing CDI scratch space
- Re-using statically provisioned persistent volumes
- Expanding a virtual machine disk
- Deleting data volumes
- Virtual machine templates
-
Live migration
- Virtual machine live migration
- Live migration limits and timeouts
- Migrating a virtual machine instance to another node
- Migrating a virtual machine over a dedicated additional network
- Cancelling the live migration of a virtual machine instance
- Configuring virtual machine eviction strategy
- Configuring live migration policies
- Node maintenance
-
Logging, events, and monitoring
- Virtualization Overview page
- Viewing OpenShift Virtualization logs
- Viewing events
- Monitoring live migration
- Diagnosing data volumes using events and conditions
- Viewing information about virtual machine workloads
- Monitoring virtual machine health
- Viewing cluster information
- Reviewing resource usage by virtual machines
- OpenShift cluster monitoring, logging, and Telemetry
- Running OpenShift cluster checkups
- Prometheus queries for virtual resources
- Exposing custom metrics for virtual machines
- OpenShift Virtualization runbooks
- Backup and restore
×
Route configuration
- Creating an HTTP-based route
- Creating a route for Ingress Controller sharding
- Configuring route timeouts
- HTTP Strict Transport Security
- Throughput issue troubleshooting methods
- Using cookies to keep route statefulness
- Path-based routes
- Route-specific annotations
- Configuring the route admission policy
- Creating a route through an Ingress object
- Creating a route using the default certificate through an Ingress object
- Creating a route using the destination CA certificate in the Ingress annotation
- Configuring the OKD Ingress Controller for dual-stack networking
Creating an HTTP-based route
A route allows you to host your application at a public URL. It can either be secure or unsecured, depending on the network security configuration of your application. An HTTP-based route is an unsecured route that uses the basic HTTP routing protocol and exposes a service on an unsecured application port.
The following procedure describes how to create a simple HTTP-based route to a web application, using the hello-openshift application as an example.
Prerequisites
-
You installed the OpenShift CLI (
oc). -
You are logged in as an administrator.
-
You have a web application that exposes a port and a TCP endpoint listening for traffic on the port.
Procedure
-
Create a project called
hello-openshiftby running the following command: -
Create a pod in the project by running the following command:
$ oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json -
Create a service called
hello-openshiftby running the following command:$ oc expose pod/hello-openshift -
Create an unsecured route to the
hello-openshiftapplication by running the following command:$ oc expose svc hello-openshift
Verification
-
To verify that the
routeresource that you created, run the following command:$ oc get routes -o yaml <name of resource> (1)1 In this example, the route is named hello-openshift.
Sample YAML definition of the created unsecured route:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: hello-openshift
spec:
host: hello-openshift-hello-openshift.<Ingress_Domain> (1)
port:
targetPort: 8080 (2)
to:
kind: Service
name: hello-openshift| 1 | <Ingress_Domain> is the default ingress domain name. The ingresses.config/cluster object is created during the installation and cannot be changed. If you want to specify a different domain, you can specify an alternative cluster domain using the appsDomain option. |
||
| 2 | targetPort is the target port on pods that is selected by the service that this route points to.
|
Creating a route for Ingress Controller sharding
A route allows you to host your application at a URL. In this case, the hostname is not set and the route uses a subdomain instead. When you specify a subdomain, you automatically use the domain of the Ingress Controller that exposes the route. For situations where a route is exposed by multiple Ingress Controllers, the route is hosted at multiple URLs.
The following procedure describes how to create a route for Ingress Controller sharding, using the hello-openshift application as an example.
Ingress Controller sharding is useful when balancing incoming traffic load among a set of Ingress Controllers and when isolating traffic to a specific Ingress Controller. For example, company A goes to one Ingress Controller and company B to another.
Prerequisites
-
You installed the OpenShift CLI (
oc). -
You are logged in as a project administrator.
-
You have a web application that exposes a port and an HTTP or TLS endpoint listening for traffic on the port.
-
You have configured the Ingress Controller for sharding.
Procedure
-
Create a project called
hello-openshiftby running the following command:$ oc new-project hello-openshift -
Create a pod in the project by running the following command:
$ oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json -
Create a service called
hello-openshiftby running the following command:$ oc expose pod/hello-openshift -
Create a route definition called
hello-openshift-route.yaml:YAML definition of the created route for sharding:apiVersion: route.openshift.io/v1 kind: Route metadata: labels: type: sharded (1) name: hello-openshift-edge namespace: hello-openshift spec: subdomain: hello-openshift (2) tls: termination: edge to: kind: Service name: hello-openshift1 Both the label key and its corresponding label value must match the ones specified in the Ingress Controller. In this example, the Ingress Controller has the label key and value type: sharded.2 The route will be exposed using the value of the subdomainfield. When you specify thesubdomainfield, you must leave the hostname unset. If you specify both thehostandsubdomainfields, then the route will use the value of thehostfield, and ignore thesubdomainfield. -
Use
hello-openshift-route.yamlto create a route to thehello-openshiftapplication by running the following command:$ oc -n hello-openshift create -f hello-openshift-route.yaml
Verification
-
Get the status of the route with the following command:
$ oc -n hello-openshift get routes/hello-openshift-edge -o yamlThe resulting
Routeresource should look similar to the following:Example outputapiVersion: route.openshift.io/v1 kind: Route metadata: labels: type: sharded name: hello-openshift-edge namespace: hello-openshift spec: subdomain: hello-openshift tls: termination: edge to: kind: Service name: hello-openshift status: ingress: - host: hello-openshift.<apps-sharded.basedomain.example.net> (1) routerCanonicalHostname: router-sharded.<apps-sharded.basedomain.example.net> (2) routerName: sharded (3)1 The hostname the Ingress Controller, or router, uses to expose the route. The value of the hostfield is automatically determined by the Ingress Controller, and uses its domain. In this example, the domain of the Ingress Controller is<apps-sharded.basedomain.example.net>.2 The hostname of the Ingress Controller. 3 The name of the Ingress Controller. In this example, the Ingress Controller has the name sharded.
Configuring route timeouts
You can configure the default timeouts for an existing route when you have services in need of a low timeout, which is required for Service Level Availability (SLA) purposes, or a high timeout, for cases with a slow back end.
Prerequisites
-
You need a deployed Ingress Controller on a running cluster.
Procedure
-
Using the
oc annotatecommand, add the timeout to the route:$ oc annotate route <route_name> \ --overwrite haproxy.router.openshift.io/timeout=<timeout><time_unit> (1)1 Supported time units are microseconds (us), milliseconds (ms), seconds (s), minutes (m), hours (h), or days (d). The following example sets a timeout of two seconds on a route named
myroute:$ oc annotate route myroute --overwrite haproxy.router.openshift.io/timeout=2s
HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) policy is a security enhancement, which signals to the browser client that only HTTPS traffic is allowed on the route host. HSTS also optimizes web traffic by signaling HTTPS transport is required, without using HTTP redirects. HSTS is useful for speeding up interactions with websites.
When HSTS policy is enforced, HSTS adds a Strict Transport Security header to HTTP and HTTPS responses from the site. You can use the insecureEdgeTerminationPolicy value in a route to redirect HTTP to HTTPS. When HSTS is enforced, the client changes all requests from the HTTP URL to HTTPS before the request is sent, eliminating the need for a redirect.
Cluster administrators can configure HSTS to do the following:
-
Enable HSTS per-route
-
Disable HSTS per-route
-
Enforce HSTS per-domain, for a set of domains, or use namespace labels in combination with domains
|
HSTS works only with secure routes, either edge-terminated or re-encrypt. The configuration is ineffective on HTTP or passthrough routes. |
Enabling HTTP Strict Transport Security per-route
HTTP strict transport security (HSTS) is implemented in the HAProxy template and applied to edge and re-encrypt routes that have the haproxy.router.openshift.io/hsts_header annotation.
Prerequisites
-
You are logged in to the cluster with a user with administrator privileges for the project.
-
You installed the
ocCLI.
Procedure
-
To enable HSTS on a route, add the
haproxy.router.openshift.io/hsts_headervalue to the edge-terminated or re-encrypt route. You can use theoc annotatetool to do this by running the following command:$ oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;\ (1) includeSubDomains;preload"1 In this example, the maximum age is set to 31536000ms, which is approximately eight and a half hours.In this example, the equal sign (
=) is in quotes. This is required to properly execute the annotate command.Example route configured with an annotationapiVersion: route.openshift.io/v1 kind: Route metadata: annotations: haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload (1) (2) (3) ... spec: host: def.abc.com tls: termination: "reencrypt" ... wildcardPolicy: "Subdomain"1 Required. max-agemeasures the length of time, in seconds, that the HSTS policy is in effect. If set to0, it negates the policy.2 Optional. When included, includeSubDomainstells the client that all subdomains of the host must have the same HSTS policy as the host.3 Optional. When max-ageis greater than 0, you can addpreloadinhaproxy.router.openshift.io/hsts_headerto allow external services to include this site in their HSTS preload lists. For example, sites such as Google can construct a list of sites that havepreloadset. Browsers can then use these lists to determine which sites they can communicate with over HTTPS, even before they have interacted with the site. Withoutpreloadset, browsers must have interacted with the site over HTTPS, at least once, to get the header.
Disabling HTTP Strict Transport Security per-route
To disable HTTP strict transport security (HSTS) per-route, you can set the max-age value in the route annotation to 0.
Prerequisites
-
You are logged in to the cluster with a user with administrator privileges for the project.
-
You installed the
ocCLI.
Procedure
-
To disable HSTS, set the
max-agevalue in the route annotation to0, by entering the following command:$ oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=0"You can alternatively apply the following YAML to create the config map:
Example of disabling HSTS per-routemetadata: annotations: haproxy.router.openshift.io/hsts_header: max-age=0 -
To disable HSTS for every route in a namespace, enter the following command:
$ oc annotate route --all -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=0"
Verification
-
To query the annotation for all routes, enter the following command:
$ oc get route --all-namespaces -o go-template='{{range .items}}{{if .metadata.annotations}}{{$a := index .metadata.annotations "haproxy.router.openshift.io/hsts_header"}}{{$n := .metadata.name}}{{with $a}}Name: {{$n}} HSTS: {{$a}}{{"\n"}}{{else}}{{""}}{{end}}{{end}}{{end}}'Example outputName: routename HSTS: max-age=0
Enforcing HTTP Strict Transport Security per-domain
To enforce HTTP Strict Transport Security (HSTS) per-domain for secure routes, add a requiredHSTSPolicies record to the Ingress spec to capture the configuration of the HSTS policy.
If you configure a requiredHSTSPolicy to enforce HSTS, then any newly created route must be configured with a compliant HSTS policy annotation.
|
To handle upgraded clusters with non-compliant HSTS routes, you can update the manifests at the source and apply the updates. |
|
You cannot use |
|
HSTS cannot be applied to insecure, or non-TLS routes, even if HSTS is requested for all routes globally. |
Prerequisites
-
You are logged in to the cluster with a user with administrator privileges for the project.
-
You installed the
ocCLI.
Procedure
-
Edit the Ingress config file:
$ oc edit ingresses.config.openshift.io/clusterExample HSTS policyapiVersion: config.openshift.io/v1 kind: Ingress metadata: name: cluster spec: domain: 'hello-openshift-default.apps.username.devcluster.openshift.com' requiredHSTSPolicies: (1) - domainPatterns: (2) - '*hello-openshift-default.apps.username.devcluster.openshift.com' - '*hello-openshift-default2.apps.username.devcluster.openshift.com' namespaceSelector: (3) matchLabels: myPolicy: strict maxAge: (4) smallestMaxAge: 1 largestMaxAge: 31536000 preloadPolicy: RequirePreload (5) includeSubDomainsPolicy: RequireIncludeSubDomains (6) - domainPatterns: (2) - 'abc.example.com' - '*xyz.example.com' namespaceSelector: matchLabels: {} maxAge: {} preloadPolicy: NoOpinion includeSubDomainsPolicy: RequireNoIncludeSubDomains1 Required. requiredHSTSPoliciesare validated in order, and the first matchingdomainPatternsapplies.2 Required. You must specify at least one domainPatternshostname. Any number of domains can be listed. You can include multiple sections of enforcing options for differentdomainPatterns.3 Optional. If you include namespaceSelector, it must match the labels of the project where the routes reside, to enforce the set HSTS policy on the routes. Routes that only match thenamespaceSelectorand not thedomainPatternsare not validated.4 Required. max-agemeasures the length of time, in seconds, that the HSTS policy is in effect. This policy setting allows for a smallest and largestmax-ageto be enforced.-
The
largestMaxAgevalue must be between0and2147483647. It can be left unspecified, which means no upper limit is enforced. -
The
smallestMaxAgevalue must be between0and2147483647. Enter0to disable HSTS for troubleshooting, otherwise enter1if you never want HSTS to be disabled. It can be left unspecified, which means no lower limit is enforced.
5 Optional. Including preloadinhaproxy.router.openshift.io/hsts_headerallows external services to include this site in their HSTS preload lists. Browsers can then use these lists to determine which sites they can communicate with over HTTPS, before they have interacted with the site. Withoutpreloadset, browsers need to interact at least once with the site to get the header.preloadcan be set with one of the following:-
RequirePreload:preloadis required by theRequiredHSTSPolicy. -
RequireNoPreload:preloadis forbidden by theRequiredHSTSPolicy. -
NoOpinion:preloaddoes not matter to theRequiredHSTSPolicy.
6 Optional. includeSubDomainsPolicycan be set with one of the following:-
RequireIncludeSubDomains:includeSubDomainsis required by theRequiredHSTSPolicy. -
RequireNoIncludeSubDomains:includeSubDomainsis forbidden by theRequiredHSTSPolicy. -
NoOpinion:includeSubDomainsdoes not matter to theRequiredHSTSPolicy.
-
-
You can apply HSTS to all routes in the cluster or in a particular namespace by entering the
oc annotate command.-
To apply HSTS to all routes in the cluster, enter the
oc annotate command. For example:$ oc annotate route --all --all-namespaces --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000" -
To apply HSTS to all routes in a particular namespace, enter the
oc annotate command. For example:$ oc annotate route --all -n my-namespace --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000"
-
Verification
You can review the HSTS policy you configured. For example:
-
To review the
maxAgeset for required HSTS policies, enter the following command:$ oc get clusteroperator/ingress -n openshift-ingress-operator -o jsonpath='{range .spec.requiredHSTSPolicies[*]}{.spec.requiredHSTSPolicies.maxAgePolicy.largestMaxAge}{"\n"}{end}' -
To review the HSTS annotations on all routes, enter the following command:
$ oc get route --all-namespaces -o go-template='{{range .items}}{{if .metadata.annotations}}{{$a := index .metadata.annotations "haproxy.router.openshift.io/hsts_header"}}{{$n := .metadata.name}}{{with $a}}Name: {{$n}} HSTS: {{$a}}{{"\n"}}{{else}}{{""}}{{end}}{{end}}{{end}}'Example outputName: <_routename_> HSTS: max-age=31536000;preload;includeSubDomains
Throughput issue troubleshooting methods
Sometimes applications deployed by using OKD can cause network throughput issues, such as unusually high latency between specific services.
If pod logs do not reveal any cause of the problem, use the following methods to analyze performance issues:
-
Use a packet analyzer, such as
pingortcpdumpto analyze traffic between a pod and its node.For example, run the
tcpdumptool on each pod while reproducing the behavior that led to the issue. Review the captures on both sides to compare send and receive timestamps to analyze the latency of traffic to and from a pod. Latency can occur in OKD if a node interface is overloaded with traffic from other pods, storage devices, or the data plane.$ tcpdump -s 0 -i any -w /tmp/dump.pcap host <podip 1> && host <podip 2> (1)1 podipis the IP address for the pod. Run theoc get pod <pod_name> -o widecommand to get the IP address of a pod.The
tcpdumpcommand generates a file at/tmp/dump.pcapcontaining all traffic between these two pods. You can run the analyzer shortly before the issue is reproduced and stop the analyzer shortly after the issue is finished reproducing to minimize the size of the file. You can also run a packet analyzer between the nodes (eliminating the SDN from the equation) with:$ tcpdump -s 0 -i any -w /tmp/dump.pcap port 4789 -
Use a bandwidth measuring tool, such as
iperf, to measure streaming throughput and UDP throughput. Locate any bottlenecks by running the tool from the pods first, and then running it from the nodes. -
In some cases, the cluster may mark the node with the router pod as unhealthy due to latency issues. Use worker latency profiles to adjust the frequency that the cluster waits for a status update from the node before taking action.
-
If your cluster has designated lower-latency and higher-latency nodes, configure the
spec.nodePlacementfield in the Ingress Controller to control the placement of the router pod.
Using cookies to keep route statefulness
OKD provides sticky sessions, which enables stateful application traffic by ensuring all traffic hits the same endpoint. However, if the endpoint pod terminates, whether through restart, scaling, or a change in configuration, this statefulness can disappear.
OKD can use cookies to configure session persistence. The Ingress controller selects an endpoint to handle any user requests, and creates a cookie for the session. The cookie is passed back in the response to the request and the user sends the cookie back with the next request in the session. The cookie tells the Ingress Controller which endpoint is handling the session, ensuring that client requests use the cookie so that they are routed to the same pod.
|
Cookies cannot be set on passthrough routes, because the HTTP traffic cannot be seen. Instead, a number is calculated based on the source IP address, which determines the backend. If backends change, the traffic can be directed to the wrong server, making it less sticky. If you are using a load balancer, which hides source IP, the same number is set for all connections and traffic is sent to the same pod. |
Annotating a route with a cookie
You can set a cookie name to overwrite the default, auto-generated one for the route. This allows the application receiving route traffic to know the cookie name. By deleting the cookie it can force the next request to re-choose an endpoint. So, if a server was overloaded it tries to remove the requests from the client and redistribute them.
Procedure
-
Annotate the route with the specified cookie name:
$ oc annotate route <route_name> router.openshift.io/cookie_name="<cookie_name>"where:
<route_name>-
Specifies the name of the route.
<cookie_name>-
Specifies the name for the cookie.
For example, to annotate the route
my_routewith the cookie namemy_cookie:$ oc annotate route my_route router.openshift.io/cookie_name="my_cookie" -
Capture the route hostname in a variable:
$ ROUTE_NAME=$(oc get route <route_name> -o jsonpath='{.spec.host}')where:
<route_name>-
Specifies the name of the route.
-
Save the cookie, and then access the route:
$ curl $ROUTE_NAME -k -c /tmp/cookie_jarUse the cookie saved by the previous command when connecting to the route:
$ curl $ROUTE_NAME -k -b /tmp/cookie_jar
Path-based routes
Path-based routes specify a path component that can be compared against a URL, which requires that the traffic for the route be HTTP based. Thus, multiple routes can be served using the same hostname, each with a different path. Routers should match routes based on the most specific path to the least. However, this depends on the router implementation.
The following table shows example routes and their accessibility:
| Route | When Compared to | Accessible |
|---|---|---|
www.example.com/test |
www.example.com/test |
Yes |
www.example.com |
No |
|
www.example.com/test and www.example.com |
www.example.com/test |
Yes |
www.example.com |
Yes |
|
www.example.com |
www.example.com/text |
Yes (Matched by the host, not the route) |
www.example.com |
Yes |
An unsecured route with a path
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: route-unsecured
spec:
host: www.example.com
path: "/test" (1)
to:
kind: Service
name: service-name| 1 | The path is the only added attribute for a path-based route. |
|
Path-based routing is not available when using passthrough TLS, as the router does not terminate TLS in that case and cannot read the contents of the request. |
Route-specific annotations
The Ingress Controller can set the default options for all the routes it exposes. An individual route can override some of these defaults by providing specific configurations in its annotations. Red Hat does not support adding a route annotation to an operator-managed route.
|
To create a whitelist with multiple source IPs or subnets, use a space-delimited list. Any other delimiter type causes the list to be ignored without a warning or error message. |
| Variable | Description | Environment variable used as default |
|---|---|---|
|
Sets the load-balancing algorithm. Available options are |
|
|
Disables the use of cookies to track related connections. If set to |
|
|
Specifies an optional cookie to use for this route. The name must consist of any combination of upper and lower case letters, digits, "_", and "-". The default is the hashed internal key name for the route. |
|
|
Sets the maximum number of connections that are allowed to a backing pod from a router. |
|
|
Setting |
|
|
Limits the number of concurrent TCP connections made through the same source IP address. It accepts a numeric value. |
|
|
Limits the rate at which a client with the same source IP address can make HTTP requests. It accepts a numeric value. |
|
|
Limits the rate at which a client with the same source IP address can make TCP connections. It accepts a numeric value. |
|
|
Sets a server-side timeout for the route. (TimeUnits) |
|
|
This timeout applies to a tunnel connection, for example, WebSocket over cleartext, edge, reencrypt, or passthrough routes. With cleartext, edge, or reencrypt route types, this annotation is applied as a timeout tunnel with the existing timeout value. For the passthrough route types, the annotation takes precedence over any existing timeout value set. |
|
|
You can set either an IngressController or the ingress config . This annotation redeploys the router and configures the HA proxy to emit the haproxy |
|
|
Sets the interval for the back-end health checks. (TimeUnits) |
|
|
Sets a whitelist for the route. The whitelist is a space-separated list of IP addresses and CIDR ranges for the approved source addresses. Requests from IP addresses that are not in the whitelist are dropped. The maximum number of IP addresses and CIDR ranges allowed in a whitelist is 61. |
|
|
Sets a Strict-Transport-Security header for the edge terminated or re-encrypt route. |
|
|
Sets the |
|
|
Sets the rewrite path of the request on the backend. |
|
|
Sets a value to restrict cookies. The values are:
This value is applicable to re-encrypt and edge routes only. For more information, see the SameSite cookies documentation. |
|
|
Sets the policy for handling the
|
|
|
Environment variables cannot be edited. |
Router timeout variables
TimeUnits are represented by a number followed by the unit: us *(microseconds), ms (milliseconds, default), s (seconds), m (minutes), h *(hours), d (days).
The regular expression is: [1-9][0-9]*(us\|ms\|s\|m\|h\|d).
| Variable | Default | Description |
|---|---|---|
|
|
Length of time between subsequent liveness checks on back ends. |
|
|
Controls the TCP FIN timeout period for the client connecting to the route. If the FIN sent to close the connection does not answer within the given time, HAProxy closes the connection. This is harmless if set to a low value and uses fewer resources on the router. |
|
|
Length of time that a client has to acknowledge or send data. |
|
|
The maximum connection time. |
|
|
Controls the TCP FIN timeout from the router to the pod backing the route. |
|
|
Length of time that a server has to acknowledge or send data. |
|
|
Length of time for TCP or WebSocket connections to remain open. This timeout period resets whenever HAProxy reloads. |
|
|
Set the maximum time to wait for a new HTTP request to appear. If this is set too low, it can cause problems with browsers and applications not expecting a small Some effective timeout values can be the sum of certain variables, rather than the specific expected timeout. For example, |
|
|
Length of time the transmission of an HTTP request can take. |
|
|
Allows the minimum frequency for the router to reload and accept new changes. |
|
|
Timeout for the gathering of HAProxy metrics. |
A route setting custom timeout
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/timeout: 5500ms (1)
...| 1 | Specifies the new timeout with HAProxy supported units (us, ms, s, m, h, d). If the unit is not provided, ms is the default. |
|
Setting a server-side timeout value for passthrough routes too low can cause WebSocket connections to timeout frequently on that route. |
A route that allows only one specific IP address
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10A route that allows several IP addresses
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12A route that allows an IP address CIDR network
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.0/24A route that allows both IP an address and IP address CIDR networks
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 180.5.61.153 192.168.1.0/24 10.0.0.0/8A route specifying a rewrite target
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/rewrite-target: / (1)
...| 1 | Sets / as rewrite path of the request on the backend. |
Setting the haproxy.router.openshift.io/rewrite-target annotation on a route specifies that the Ingress Controller should rewrite paths in HTTP requests using this route before forwarding the requests to the backend application.
The part of the request path that matches the path specified in spec.path is replaced with the rewrite target specified in the annotation.
The following table provides examples of the path rewriting behavior for various combinations of spec.path, request path, and rewrite target.
| Route.spec.path | Request path | Rewrite target | Forwarded request path |
|---|---|---|---|
/foo |
/foo |
/ |
/ |
/foo |
/foo/ |
/ |
/ |
/foo |
/foo/bar |
/ |
/bar |
/foo |
/foo/bar/ |
/ |
/bar/ |
/foo |
/foo |
/bar |
/bar |
/foo |
/foo/ |
/bar |
/bar/ |
/foo |
/foo/bar |
/baz |
/baz/bar |
/foo |
/foo/bar/ |
/baz |
/baz/bar/ |
/foo/ |
/foo |
/ |
N/A (request path does not match route path) |
/foo/ |
/foo/ |
/ |
/ |
/foo/ |
/foo/bar |
/ |
/bar |
Configuring the route admission policy
Administrators and application developers can run applications in multiple namespaces with the same domain name. This is for organizations where multiple teams develop microservices that are exposed on the same hostname.
|
Allowing claims across namespaces should only be enabled for clusters with trust between namespaces, otherwise a malicious user could take over a hostname. For this reason, the default admission policy disallows hostname claims across namespaces. |
Prerequisites
-
Cluster administrator privileges.
Procedure
-
Edit the
.spec.routeAdmissionfield of theingresscontrollerresource variable using the following command:$ oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=mergeSample Ingress Controller configurationspec: routeAdmission: namespaceOwnership: InterNamespaceAllowed ...You can alternatively apply the following YAML to configure the route admission policy:
apiVersion: operator.openshift.io/v1 kind: IngressController metadata: name: default namespace: openshift-ingress-operator spec: routeAdmission: namespaceOwnership: InterNamespaceAllowed
Creating a route through an Ingress object
Some ecosystem components have an integration with Ingress resources but not with route resources. To cover this case, OKD automatically creates managed route objects when an Ingress object is created. These route objects are deleted when the corresponding Ingress objects are deleted.
Procedure
-
Define an Ingress object in the OKD console or by entering the
oc createcommand:YAML Definition of an IngressapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: frontend annotations: route.openshift.io/termination: "reencrypt" (1) route.openshift.io/destination-ca-certificate-secret: secret-ca-cert (3) spec: rules: - host: www.example.com (2) http: paths: - backend: service: name: frontend port: number: 443 path: / pathType: Prefix tls: - hosts: - www.example.com secretName: example-com-tls-certificate1 The route.openshift.io/terminationannotation can be used to configure thespec.tls.terminationfield of theRouteasIngresshas no field for this. The accepted values areedge,passthroughandreencrypt. All other values are silently ignored. When the annotation value is unset,edgeis the default route. The TLS certificate details must be defined in the template file to implement the default edge route.2 When working with an Ingressobject, you must specify an explicit hostname, unlike when working with routes. You can use the<host_name>.<cluster_ingress_domain>syntax, for exampleapps.openshiftdemos.com, to take advantage of the*.<cluster_ingress_domain>wildcard DNS record and serving certificate for the cluster. Otherwise, you must ensure that there is a DNS record for the chosen hostname.-
If you specify the
passthroughvalue in theroute.openshift.io/terminationannotation, setpathto''andpathTypetoImplementationSpecificin the spec:spec: rules: - host: www.example.com http: paths: - path: '' pathType: ImplementationSpecific backend: service: name: frontend port: number: 443$ oc apply -f ingress.yaml
3 The route.openshift.io/destination-ca-certificate-secretcan be used on an Ingress object to define a route with a custom destination certificate (CA). The annotation references a kubernetes secret,secret-ca-certthat will be inserted into the generated route.-
To specify a route object with a destination CA from an ingress object, you must create a
kubernetes.io/tlsorOpaquetype secret with a certificate in PEM-encoded format in thedata.tls.crtspecifier of the secret.
-
-
List your routes:
$ oc get routesThe result includes an autogenerated route whose name starts with
frontend-:NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD frontend-gnztq www.example.com frontend 443 reencrypt/Redirect NoneIf you inspect this route, it looks this:
YAML Definition of an autogenerated routeapiVersion: route.openshift.io/v1 kind: Route metadata: name: frontend-gnztq ownerReferences: - apiVersion: networking.k8s.io/v1 controller: true kind: Ingress name: frontend uid: 4e6c59cc-704d-4f44-b390-617d879033b6 spec: host: www.example.com path: / port: targetPort: https tls: certificate: | -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- insecureEdgeTerminationPolicy: Redirect key: | -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- termination: reencrypt destinationCACertificate: | -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- to: kind: Service name: frontend
Creating a route using the default certificate through an Ingress object
If you create an Ingress object without specifying any TLS configuration, OKD generates an insecure route. To create an Ingress object that generates a secure, edge-terminated route using the default ingress certificate, you can specify an empty TLS configuration as follows.
Prerequisites
-
You have a service that you want to expose.
-
You have access to the OpenShift CLI (
oc).
Procedure
-
Create a YAML file for the Ingress object. In this example, the file is called
example-ingress.yaml:YAML definition of an Ingress objectapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: frontend ... spec: rules: ... tls: - {} (1)1 Use this exact syntax to specify TLS without specifying a custom certificate. -
Create the Ingress object by running the following command:
$ oc create -f example-ingress.yaml
Verification
-
Verify that OKD has created the expected route for the Ingress object by running the following command:
$ oc get routes -o yamlExample outputapiVersion: v1 items: - apiVersion: route.openshift.io/v1 kind: Route metadata: name: frontend-j9sdd (1) ... spec: ... tls: (2) insecureEdgeTerminationPolicy: Redirect termination: edge (3) ...1 The name of the route includes the name of the Ingress object followed by a random suffix. 2 In order to use the default certificate, the route should not specify spec.certificate.3 The route should specify the edgetermination policy.
Creating a route using the destination CA certificate in the Ingress annotation
The route.openshift.io/destination-ca-certificate-secret annotation can be used on an Ingress object to define a route with a custom destination CA certificate.
Prerequisites
-
You may have a certificate/key pair in PEM-encoded files, where the certificate is valid for the route host.
-
You may have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
-
You must have a separate destination CA certificate in a PEM-encoded file.
-
You must have a service that you want to expose.
Procedure
-
Add the
route.openshift.io/destination-ca-certificate-secretto the Ingress annotations:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: frontend annotations: route.openshift.io/termination: "reencrypt" route.openshift.io/destination-ca-certificate-secret: secret-ca-cert (1) ...1 The annotation references a kubernetes secret. -
The secret referenced in this annotation will be inserted into the generated route.
Example outputapiVersion: route.openshift.io/v1 kind: Route metadata: name: frontend annotations: route.openshift.io/termination: reencrypt route.openshift.io/destination-ca-certificate-secret: secret-ca-cert spec: ... tls: insecureEdgeTerminationPolicy: Redirect termination: reencrypt destinationCACertificate: | -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- ...
Configuring the OKD Ingress Controller for dual-stack networking
If your OKD cluster is configured for IPv4 and IPv6 dual-stack networking, your cluster is externally reachable by OKD routes.
The Ingress Controller automatically serves services that have both IPv4 and IPv6 endpoints, but you can configure the Ingress Controller for single-stack or dual-stack services.
Prerequisites
-
You deployed an OKD cluster on bare metal.
-
You installed the OpenShift CLI (
oc).
Procedure
-
To have the Ingress Controller serve traffic over IPv4/IPv6 to a workload, you can create a service YAML file or modify an existing service YAML file by setting the
ipFamiliesandipFamilyPolicyfields. For example:Sample service YAML fileapiVersion: v1 kind: Service metadata: creationTimestamp: yyyy-mm-ddT00:00:00Z labels: name: <service_name> manager: kubectl-create operation: Update time: yyyy-mm-ddT00:00:00Z name: <service_name> namespace: <namespace_name> resourceVersion: "<resource_version_number>" selfLink: "/api/v1/namespaces/<namespace_name>/services/<service_name>" uid: <uid_number> spec: clusterIP: 172.30.0.0/16 clusterIPs: (1) - 172.30.0.0/16 - <second_IP_address> ipFamilies: (2) - IPv4 - IPv6 ipFamilyPolicy: RequireDualStack (3) ports: - port: 8080 protocol: TCP targetport: 8080 selector: name: <namespace_name> sessionAffinity: None type: ClusterIP status: loadbalancer: {}1 In a dual-stack instance, there are two different clusterIPsprovided.2 For a single-stack instance, enter IPv4orIPv6. For a dual-stack instance, enter bothIPv4andIPv6.3 For a single-stack instance, enter SingleStack. For a dual-stack instance, enterRequireDualStack.These resources generate corresponding
endpoints. The Ingress Controller now watchesendpointslices. -
To view
endpoints, enter the following command:$ oc get endpoints -
To view
endpointslices, enter the following command:$ oc get endpointslices
Additional resources