Default <pod_namespace>.cluster.local Services <service>.<pod_namespace>.svc.cluster.local Endpoints <name>.<namespace>.endpoints.cluster.local This prevents having to restart frontend pods in order to pick up new services, which would create a new IP for the service. This also removes the need to use environment variables, because pods can use the service DNS. Also, as the DNS does not change, you can reference database services as db.local in configuration files. Wildcard lookups are also supported, because any lookups resolve to the service IP, and removes the need to create the backend service before any of the frontend pods, since the service name (and hence DNS) is established upfront. This DNS structure also covers headless services, where a portal IP is not assigned to the service and the kube-proxy does not load-balance or provide routing for its endpoints. Service DNS can still be used and responds with multiple A records, one for each pod of the service, allowing the client to round-robin between each pod.

5.2. OpenShift SDN

5.2.1. Overview

OpenShift Container Platform uses a software-defined networking (SDN) approach to provide a unified cluster network that enables communication between pods across the OpenShift Container Platform cluster. This pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS). OpenShift SDN provides three SDN plug-ins for configuring the pod network: The ovs-subnet plug-in is the original plug-in, which provides a "flat" pod network where every pod can communicate with every other pod and service. The ovs-multitenant plug-in provides project-level isolation for pods and services. Each project receives a unique Virtual Network ID (VNID) that identifies traffic from pods assigned to the project. Pods from different projects cannot send packets to or receive packets from pods and services of a different project. However, projects that receive VNID 0 are more privileged in that they are allowed to communicate with all other pods, and all other pods can communicate with them. In OpenShift Container Platform clusters, the default project has VNID 0. This facilitates certain services, such as the load balancer, to communicate with all other pods in the cluster and vice versa. The ovs-networkpolicy plug-in allows project administrators to configure their own isolation policies using NetworkPolicy objects. Information on configuring the SDN on masters and nodes is available in Configuring the SDN .

5.2.2. Design on Masters

On an OpenShift Container Platform master, OpenShift SDN maintains a registry of nodes, stored in etcd . When the system administrator registers a node, OpenShift SDN allocates an unused subnet from the cluster network and stores this subnet in the registry. When a node is deleted, OpenShift SDN deletes the subnet from the registry and considers the subnet available to be allocated again. In the default configuration, the cluster network is the 10.128.0.0/14 network (i.e. 10.128.0.0 - 10.131.255.255 ), and nodes are allocated /23 subnets (i.e., 10.128.0.0/23 , 10.128.2.0/23 , 10.128.4.0/23 , and so on). This means that the cluster network has 512 subnets available to assign to nodes, and a given node is allocated 510 addresses that it can assign to the containers running on it. The size and address range of the cluster network are configurable, as is the host subnet size. If the subnet extends into the next higher octet, it is rotated so that the subnet bits with 0s in the shared octet are allocated first. For example, if the network is 10.1.0.0/16, with hostsubnetlength=6 , then the subnet of 10.1.0.0/26 and 10.1.1.0/26, through to 10.1.255.0/26 are allocated before 10.1.0.64/26, 10.1.1.64/26 are filled. This ensures that the subnet is easier to follow. Note that the OpenShift SDN on a master does not configure the local (master) host to have access to any cluster network. Consequently, a master host does not have access to pods via the cluster network, unless it is also running as a node. When using the ovs-multitenant plug-in, the OpenShift SDN master also watches for the creation and deletion of projects, and assigns VXLAN VNIDs to them, which are later used by the nodes to isolate traffic correctly.

5.2.3. Design on Nodes

On a node, OpenShift SDN first registers the local host with the SDN master in the aforementioned registry so that the master allocates a subnet to the node. Next, OpenShift SDN creates and configures three network devices: br0 : the OVS bridge device that pod containers will be attached to. OpenShift SDN also configures a set of non-subnet-specific flow rules on this bridge. tun0 : an OVS internal port (port 2 on br0 ). This gets assigned the cluster subnet gateway address, and is used for external network access. OpenShift SDN configures netfilter and routing rules to enable access from the cluster subnet to the external network via NAT. vxlan_sys_4789 : The OVS VXLAN device (port 1 on br0 ), which provides access to containers on remote nodes. Referred to as vxlan0 in the OVS rules. Each time a pod is started on the host, OpenShift SDN: assigns the pod a free IP address from the node’s cluster subnet. attaches the host side of the pod’s veth interface pair to the OVS bridge br0 . adds OpenFlow rules to the OVS database to route traffic addressed to the new pod to the correct OVS port. in the case of the ovs-multitenant plug-in, adds OpenFlow rules to tag traffic coming from the pod with the pod’s VNID, and to allow traffic into the pod if the traffic’s VNID matches the pod’s VNID (or is the privileged VNID 0). Non-matching traffic is filtered out by a generic rule. OpenShift SDN nodes also watch for subnet updates from the SDN master. When a new subnet is added, the node adds OpenFlow rules on br0 so that packets with a destination IP address in the remote subnet go to vxlan0 (port 1 on br0 ) and thus out onto the network. The ovs-subnet plug-in sends all packets across the VXLAN with VNID 0, but the ovs-multitenant plug-in uses the appropriate VNID for the source container.

5.2.4. Packet Flow

Suppose you have two containers, A and B, where the peer virtual Ethernet device for container A’s eth0 is named vethA and the peer for container B’s eth0 is named vethB . If the Docker service’s use of peer virtual Ethernet devices is not already familiar to you, see Docker’s advanced networking documentation . Now suppose first that container A is on the local host and container B is also on the local host. Then the flow of packets from container A to container B is as follows: eth0 (in A’s netns) → vethA → br0 → vethB → eth0 (in B’s netns) Next, suppose instead that container A is on the local host and container B is on a remote host on the cluster network. Then the flow of packets from container A to container B is as follows: eth0 (in A’s netns) → vethA → br0 → vxlan0 → network ^[1] → vxlan0 → br0 → vethB → eth0 (in B’s netns) Finally, if container A connects to an external host, the traffic looks like: eth0 (in A’s netns) → vethA → br0 → tun0 → (NAT) → eth0 (physical device) → Internet Almost all packet delivery decisions are performed with OpenFlow rules in the OVS bridge br0 , which simplifies the plug-in network architecture and provides flexible routing. In the case of the ovs-multitenant plug-in, this also provides enforceable network isolation .

5.2.5. Network Isolation

You can use the ovs-multitenant plug-in to achieve network isolation. When a packet exits a pod assigned to a non-default project, the OVS bridge br0 tags that packet with the project’s assigned VNID. If the packet is directed to another IP address in the node’s cluster subnet, the OVS bridge only allows the packet to be delivered to the destination pod if the VNIDs match. If a packet is received from another node via the VXLAN tunnel, the Tunnel ID is used as the VNID, and the OVS bridge only allows the packet to be delivered to a local pod if the tunnel ID matches the destination pod’s VNID. Packets destined for other cluster subnets are tagged with their VNID and delivered to the VXLAN tunnel with a tunnel destination address of the node owning the cluster subnet. As described before, VNID 0 is privileged in that traffic with any VNID is allowed to enter any pod assigned VNID 0, and traffic with VNID 0 is allowed to enter any pod. Only the default OpenShift Container Platform project is assigned VNID 0; all other projects are assigned unique, isolation-enabled VNIDs. Cluster administrators can optionally control the pod network for the project using the administrator CLI. After this point, device names refer to devices on container B’s host.

5.3. Available SDN plug-ins

OpenShift Container Platform supports the Kubernetes Container Network Interface (CNI) as the interface between the OpenShift Container Platform and Kubernetes. Software defined network (SDN) plug-ins match network capabilities to your networking needs. Additional plug-ins that support the CNI interface can be added as needed.

5.3.1. OpenShift SDN

OpenShift SDN is installed and configured by default as part of the Ansible-based installation procedure. See the OpenShift SDN section for more information.

5.3.2. Third-Party SDN plug-ins

5.3.2.1. Cisco ACI SDN

The Cisco ACI CNI plug-in for OpenShift Container Platform provides integration between the Cisco Application Policy Infrastructure Controller (Cisco APIC) controller and one or more OpenShift Container Platform clusters connected to a Cisco ACI fabric. This integration is implemented across two main functional areas: The Cisco ACI CNI plug-in extends the ACI fabric capabilities to OpenShift Container Platform clusters in order to provide IP address management, networking, load balancing, and security functions for OpenShift Container Platform workloads. The Cisco ACI CNI plug-in connects all OpenShift Container Platform Pods to the integrated VXLAN overlay provided by Cisco ACI. The Cisco ACI CNI plug-in models the entire OpenShift Container Platform cluster as a VMM domain on the Cisco APIC. This provides APIC with access to the inventory of resources of the OpenShift Container Platform cluster, including the number of OpenShift Container Platform nodes, OpenShift Container Platform namespaces, services, deployments, Pods, their IP and MAC addresses, interfaces they are using, and so on. APIC uses this information to automatically correlate physical and virtual resources in order to simplify operations. The Cisco ACI CNI plug-in is designed to be transparent for OpenShift Container Platform developers and administrators and to integrate seamlessly from an operational standpoint. For more information, see Cisco ACI CNI Plugin for Red Hat OpenShift Container Platform Architecture and Design Guide .

5.3.2.2. Flannel SDN

flannel is a virtual networking layer designed specifically for containers. OpenShift Container Platform can use it for networking containers instead of the default software-defined networking (SDN) components. This is useful if running OpenShift Container Platform within a cloud provider platform that also relies on SDN, such as OpenStack, and you want to avoid encapsulating packets twice through both platforms. Architecture OpenShift Container Platform runs flannel in host-gw mode, which maps routes from container to container. Each host within the network runs an agent called flanneld , which is responsible for: Managing a unique subnet on each host Distributing IP addresses to each container on its host Mapping routes from one container to another, even if on different hosts Each flanneld agent provides this information to a centralized etcd store so other agents on hosts can route packets to other containers within the flannel network. The following diagram illustrates the architecture and data flow from one container to another using a flannel network: Node 1 would contain the following routes:

default via 192.168.0.100 dev eth0 proto static metric 100
10.1.15.0/24 dev docker0 proto kernel scope link src 10.1.15.1
10.1.20.0/24 via 192.168.0.200 dev eth0

Node 2 would contain the following routes:

default via 192.168.0.200 dev eth0 proto static metric 100
10.1.20.0/24 dev docker0 proto kernel scope link src 10.1.20.1
10.1.15.0/24 via 192.168.0.100 dev eth0

5.3.2.3. NSX-T SDN

The VMware NSX-T ™ Data Center provides a policy-based overlay network reproducing the complete set of Layer 2 through Layer 7 networking services (such as switching, routing, access control, fire-walling, and QoS) in software for native OpenShift Container Platform networking capabilities. The NSX-T components can be installed and configured as part of the Ansible installation procedure, which integrates an OpenShift Container Platform SDN into a data-center-wide NSX-T virtualised network connecting bare metal, virtual machines, and OpenShift Container Platform pods. See the Installation section for information on how to install and deploy OpenShift Container Platform with VMware NSX-T. The NSX-T Container Plug-In (NCP) integrates OpenShift Container Platform into an NSX-T Manager, which is typically configured for the entire data center. For information on the NSX-T Data Center architecture and administration, see the VMware NSX-T Data Center v2.4 documentation and the NSX-T NCP configuration guides.

5.3.2.4. Nuage SDN

Nuage Networks' SDN solution delivers highly scalable, policy-based overlay networking for pods in an OpenShift Container Platform cluster. Nuage SDN can be installed and configured as a part of the Ansible-based installation procedure. See the Advanced Installation section for information on how to install and deploy OpenShift Container Platform with Nuage SDN. Nuage Networks provides a highly scalable, policy-based SDN platform called Virtualized Services Platform (VSP). Nuage VSP uses an SDN Controller, along with the open source Open vSwitch for the data plane. Nuage uses overlays to provide policy-based networking between OpenShift Container Platform and other environments consisting of VMs and bare metal servers. The platform’s real-time analytics engine enables visibility and security monitoring for OpenShift Container Platform applications. Nuage VSP integrates with OpenShift Container Platform to allows business applications to be quickly turned up and updated by removing the network lag faced by DevOps teams.

Figure 5.1. Nuage VSP Integration with OpenShift Container Platform

There are two specific components responsible for the integration. The nuage-openshift-monitor service, which runs as a separate service on the OpenShift Container Platform master node. The vsp-openshift plug-in, which is invoked by the OpenShift Container Platform runtime on each of the nodes of the cluster. Nuage Virtual Routing and Switching software (VRS) is based on open source Open vSwitch and is responsible for the datapath forwarding. The VRS runs on each node and gets policy configuration from the controller. Nuage VSP Terminology

Figure 5.2. Nuage VSP Building Blocks

1. Domains: An organization contains one or more domains. A domain is a single "Layer 3" space. In standard networking terminology, a domain maps to a VRF instance. Zones: Zones are defined under a domain. A zone does not map to anything on the network directly, but instead acts as an object with which policies are associated such that all endpoints in the zone adhere to the same set of policies. Subnets: Subnets are defined under a zone. A subnet is a specific Layer 2 subnet within the domain instance. A subnet is unique and distinct within a domain, that is, subnets within a Domain are not allowed to overlap or to contain other subnets in accordance with the standard IP subnet definitions. VPorts: A VPort is a new level in the domain hierarchy, intended to provide more granular configuration. In addition to containers and VMs, VPorts are also used to attach Host and Bridge Interfaces, which provide connectivity to Bare Metal servers, Appliances, and Legacy VLANs. Policy Group: Policy Groups are collections of VPorts. Mapping of Constructs Many OpenShift Container Platform concepts have a direct mapping to Nuage VSP constructs:

   Figure 5.3. Nuage VSP and OpenShift Container Platform mapping

   

   A Nuage subnet is not mapped to an OpenShift Container Platform node, but a subnet for a particular project can span multiple nodes in OpenShift Container Platform. A pod spawning in OpenShift Container Platform translates to a virtual port being created in VSP. The vsp-openshift plug-in interacts with the VRS and gets a policy for that virtual port from the VSD via the VSC. Policy Groups are supported to group multiple pods together that must have the same set of policies applied to them. Currently, pods can only be assigned to policy groups using the operations workflow where a policy group is created by the administrative user in VSD. The pod being a part of the policy group is specified by means of nuage.io/policy-group label in the specification of the pod. Integration Components Nuage VSP integrates with OpenShift Container Platform using two main components: nuage-openshift-monitor vsp-openshift plugin nuage-openshift-monitor nuage-openshift-monitor is a service that monitors the OpenShift Container Platform API server for creation of projects, services, users, user-groups, etc. In case of a Highly Available (HA) OpenShift Container Platform cluster with multiple masters, nuage-openshift-monitor process runs on all the masters independently without any change in functionality. For the developer workflow, nuage-openshift-monitor also auto-creates VSD objects by exercising the VSD REST API to map OpenShift Container Platform constructs to VSP constructs. Each cluster instance maps to a single domain in Nuage VSP. This allows a given enterprise to potentially have multiple cluster installations - one per domain instance for that Enterprise in Nuage. Each OpenShift Container Platform project is mapped to a zone in the domain of the cluster on the Nuage VSP. Whenever nuage-openshift-monitor sees an addition or deletion of the project, it instantiates a zone using the VSDK APIs corresponding to that project and allocates a block of subnet for that zone. Additionally, the nuage-openshift-monitor also creates a network macro group for this project. Likewise, whenever nuage-openshift-monitor sees an addition ordeletion of a service, it creates a network macro corresponding to the service IP and assigns that network macro to the network macro group for that project (user provided network macro group using labels is also supported) to enable communication to that service. For the developer workflow, all pods that are created within the zone get IPs from that subnet pool. The subnet pool allocation and management is done by nuage-openshift-monitor based on a couple of plug-in specific parameters in the master-config file. However the actual IP address resolution and vport policy resolution is still done by VSD based on the domain/zone that gets instantiated when the project is created. If the initial subnet pool is exhausted, nuage-openshift-monitor carves out an additional subnet from the cluster CIDR to assign to a given project. For the operations workflow, the users specify Nuage recognized labels on their application or pod specification to resolve the pods into specific user-defined zones and subnets. However, this cannot be used to resolve pods in the zones or subnets created via the developer workflow by nuage-openshift-monitor . In the operations workflow, the administrator is responsible for pre-creating the VSD constructs to map the pods into a specific zone/subnet as well as allow communication between OpenShift entities (ACL rules, policy groups, network macros, and network macro groups). Detailed description of how to use Nuage labels is provided in the Nuage VSP Openshift Integration Guide . vsp-openshift Plug-in The vsp-openshift networking plug-in is called by the OpenShift Container Platform runtime on each OpenShift Container Platform node. It implements the network plug-in init and pod setup, teardown, and status hooks. The vsp-openshift plug-in is also responsible for allocating the IP address for the pods. In particular, it communicates with the VRS (the forwarding engine) and configures the IP information onto the pod.

5.3.3. Kuryr SDN for OpenShift Container Platform

Kuryr (or more specifically Kuryr-Kubernetes) is an SDN solution built using CNI and OpenStack Neutron . Its advantages include being able to use a wide range of Neutron SDN backends and providing interconnectivity between Kubernetes pods and OpenStack virtual machines (VMs). Kuryr-Kubernetes and OpenShift Container Platform integration is primarily designed for OpenShift Container Platform clusters running on OpenStack VMs.

5.3.3.1. OpenStack Deployment Requirements

Kuryr SDN has some requirements regarding configuration of OpenStack it will be using. In particular: Minimal service set is Keystone and Neutron. It works with Octavia . Trunk ports extension must be enabled. Neutron must use the Open vSwitch firewall driver.

5.3.3.2. kuryr-controller

kuryr-controller is a service responsible for watching OpenShift Container Platform API for new pods being spawned and creating Neutron resources for them. For example, when a pod gets created, kuryr-controller will notice that and call OpenStack Neutron to create a new port. Then, information about that port (or VIF) is saved into the pod’s annotations. kuryr-controller is also able to use precreated port pools for faster pod creation. Currently, kuryr-controller must be run as a single service instance, so it is modeled in OpenShift Container Platform as Deployment with replicas=1 . It requires access to the underlying OpenStack service APIs.

5.3.3.3. kuryr-cni

kuryr-cni container serves two roles in Kuryr-Kubernetes deployment. It is responsible for installing and configuring Kuryr CNI script on OpenShift Container Platform nodes and running kuryr-daemon service that is networking the Pods on the host. This means that kuryr-cni container needs to run on every OpenShift Container Platform node, so it is modeled as DaemonSet . OpenShift Container Platform CNI will call the Kuryr CNI script every time a new pod is spawned on or deleted from an OpenShift Container Platform host. The script fetches the container ID of the local kuryr-cni from Docker API and executes Kuryr CNI plug-in binary through docker exec passing all the CNI call arguments. The plug-in then calls kuryr-daemon over local HTTP socket, again passing all the parameters. kuryr-daemon service is responsible for watching for Pod’s annotations about Neutron VIFs created for them. When CNI request for given Pod is received daemon either has VIF information in memory already or waits for the annotation to appear on Pod definition. Once VIF info in known all the networking operations happen.

5.4. Available router plug-ins

A router can be assigned to a node to control traffic in an OpenShift Container Platform cluster. OpenShift Container Platform uses HAProxy as the default router, but options are available.

5.4.1. The HAProxy Template Router

The HAProxy template router implementation is the reference implementation for a template router plug-in. It uses the openshift3/ose-haproxy-router repository to run an HAProxy instance alongside the template router plug-in. The template router has two components: A wrapper that watches endpoints and routes and causes a HAProxy reload based on changes A controller that builds the HAProxy configuration file based on routes and endpoints The HAProxy router uses version 1.8.1. The controller and HAProxy are housed inside a pod, which is managed by a deployment configuration. The process of setting up the router is automated by the oc adm router command. The controller watches the routes and endpoints for changes, as well as HAProxy’s health. When a change is detected, it builds a new haproxy-config file and restarts HAProxy. The haproxy-config file is constructed based on the router’s template file and information from OpenShift Container Platform. The HAProxy template file can be customized as needed to support features that are not currently supported by OpenShift Container Platform. The HAProxy manual describes all of the features supported by HAProxy. The following diagram illustrates how data flows from the master through the plug-in and finally into an HAProxy configuration:

Figure 5.4. HAProxy Router Data Flow

HAProxy Template Router Metrics The HAProxy router exposes or publishes metrics in Prometheus format for consumption by external metrics collection and aggregation systems (e.g. Prometheus, statsd). The router can be configured to provide HAProxy CSV format metrics, or provide no router metrics at all. The metrics are collected from both the router controller and from HAProxy every five seconds. The router metrics counters start at zero when the router is deployed and increase over time. The HAProxy metrics counters are reset to zero every time haproxy is reloaded. The router collects HAProxy statistics for each frontend, back end, and server. To reduce resource usage when there are more than 500 servers, the back ends are reported instead of the servers because a back end can have multiple servers. The statistics are a subset of the available HAProxy statistics . The following HAProxy metrics are collected on a periodic basis and converted to Prometheus format. For every front end the "F" counters are collected. When the counters are collected for each back end and the "S" server counters are collected for each server. Otherwise, the "B" counters are collected for each back end and no server counters are collected. See router environment variables for more information. In the following table: Column 1 - Index from HAProxy CSV statistics Column 2 Front end metrics Back end metrics when not showing Server metrics due to the Server Threshold, Back end metrics when showing Server metrics Server metrics. Column 3 - The counter Column 4 - Counter description Index Usage Counter Description current_queue Current number of queued requests not assigned to any server. current_sessions Current number of active sessions. max_sessions Maximum observed number of active sessions. connections_total Total number of connections. bytes_in_total Current total of incoming bytes. bytes_out_total Current total of outgoing bytes. connection_errors_total Total of connection errors. response_errors_total Total of response errors. Current health status of the back end (1 = UP, 0 = DOWN). check_failures_total Total number of failed health checks. downtime_seconds_total Total downtime in seconds.", nil), current_session_rate Current number of sessions per second over last elapsed second. max_session_rate Maximum observed number of sessions per second. http_responses_total Total of HTTP responses, code 2xx http_responses_total Total of HTTP responses, code 5xx http_average_response_latency_milliseconds of the last 1024 requests in milliseconds. The router controller scrapes the following items. These are only available with Prometheus format metrics. Description template_router_reload_seconds Measures the time spent reloading the router in seconds. template_router_write_config_seconds Measures the time spent writing out the router configuration to disk in seconds. haproxy_exporter_up Was the last scrape of haproxy successful. haproxy_exporter_csv_parse_failures Number of errors while parsing CSV. haproxy_exporter_scrape_interval The time in seconds before another scrape is allowed, proportional to size of data. haproxy_exporter_server_threshold Number of servers tracked and the current threshold value. haproxy_exporter_total_scrapes Current total HAProxy scrapes. http_request_duration_microseconds The HTTP request latencies in microseconds. http_request_size_bytes The HTTP request sizes in bytes. http_response_size_bytes The HTTP response sizes in bytes. openshift_build_info A metric with a constant '1' value labeled by major, minor, git commit & git version from which OpenShift was built. ssh_tunnel_open_count Counter of SSH tunnel total open attempts ssh_tunnel_open_fail_count Counter of SSH tunnel failed open attempts

DEFAULT_CERTIFICATE The contents of a default certificate to use for routes that don’t expose a TLS server cert; in PEM format. DEFAULT_CERTIFICATE_DIR A path to a directory that contains a file named tls.crt . If tls.crt is not a PEM file which also contains a private key, it is first combined with a file named tls.key in the same directory. The PEM-format contents are then used as the default certificate. Only used if DEFAULT_CERTIFICATE or DEFAULT_CERTIFICATE_PATH are not specified. DEFAULT_CERTIFICATE_PATH A path to default certificate to use for routes that don’t expose a TLS server cert; in PEM format. Only used if DEFAULT_CERTIFICATE is not specified. EXTENDED_VALIDATION If true , the router confirms that the certificate is structurally correct. It does not verify the certificate against any CA. Set false to turn off the tests. NAMESPACE_LABELS A label selector to apply to namespaces to watch, empty means all. PROJECT_LABELS A label selector to apply to projects to watch, emtpy means all. RELOAD_SCRIPT The path to the reload script to use to reload the router. ROUTER_ALLOWED_DOMAINS A comma-separated list of domains that the host name in a route can only be part of. Any subdomain in the domain can be used. Option ROUTER_DENIED_DOMAINS overrides any values given in this option. If set, everything outside of the allowed domains will be rejected. ROUTER_BACKEND_PROCESS_ENDPOINTS String to specify how the endpoints should be processed while using the template function processEndpointsForAlias. Valid values are ["shuffle", ""]. "shuffle" will randomize the elements upon every call. Default behavior returns in pre-determined order. ROUTER_BIND_PORTS_AFTER_SYNC false If set to true or TRUE , then the router does not bind to any ports until it has completely synchronized state. If not set to 'true' or 'TRUE', the router will bind to ports and start processing requests immediately, but there may be routes that are not loaded. ROUTER_COOKIE_NAME Specifies cookie name to override the internally generated default name. The name must consist of any combination of upper and lower case letters, digits, "_", and "-". The default is the hashed internal key name for the route. ROUTER_COMPRESSION_MIME "text/html text/plain text/css" A space separated list of mime types to compress. ROUTER_DENIED_DOMAINS A comma-separated list of domains that the host name in a route can not be part of. No subdomain in the domain can be used either. Overrides option ROUTER_ALLOWED_DOMAINS . ROUTER_ENABLE_COMPRESSION If true or TRUE , compress responses when possible. ROUTER_LISTEN_ADDR 0.0.0.0:1936 Sets the listening address for router metrics. ROUTER_LOG_LEVEL warning The log level to send to the syslog server. ROUTER_MAX_CONNECTIONS 20000 Maximum number of concurrent connections. ROUTER_METRICS_HAPROXY_SERVER_THRESHOLD ROUTER_METRICS_HAPROXY_EXPORTED Metrics collected in CSV format. For example, defaultSelectedMetrics = []int{2, 4, 5, 7, 8, 9, 13, 14, 17, 21, 24, 33, 35, 40, 43, 60} ROUTER_METRICS_HAPROXY_BASE_SCRAPE_INTERVAL ROUTER_METRICS_HAPROXY_TIMEOUT ROUTER_METRICS_TYPE haproxy Generate metrics for the HAProxy router. (haproxy is the only supported value) ROUTER_OVERRIDE_DOMAINS A comma-separated list of domain names. If a route’s domain name matches the host in a route, the host name is ignored and the pattern defined in ROUTER_SUBDOMAIN is used. ROUTER_OVERRIDE_HOSTNAME If set true , override the spec.host value for a route with the template in ROUTER_SUBDOMAIN . ROUTER_SERVICE_HTTPS_PORT Port to listen for HTTPS requests. ROUTER_SERVICE_HTTP_PORT Port to listen for HTTP requests. ROUTER_SERVICE_NAME public The name that the router identifies itself in the in route status. ROUTER_CANONICAL_HOSTNAME The (optional) host name of the router shown in the in route status. ROUTER_SERVICE_NAMESPACE The namespace the router identifies itself in the in route status. Required if ROUTER_SERVICE_NAME is used. ROUTER_SERVICE_NO_SNI_PORT 10443 Internal port for some front-end to back-end communication (see note below). ROUTER_SERVICE_SNI_PORT 10444 Internal port for some front-end to back-end communication (see note below). ROUTER_SUBDOMAIN The template that should be used to generate the host name for a route without spec.host (e.g. ${name}-${namespace}.myapps.mycompany.com). ROUTER_SYSLOG_ADDRESS Address to send log messages. Disabled if empty. ROUTER_SYSLOG_FORMAT If set, override the default log format used by underlying router implementation. Its value should conform with underlying router implementation’s specification. ROUTER_TCP_BALANCE_SCHEME source load balancing strategy . for multiple endpoints for pass-through routes. Available options are source , roundrobin , or leastconn . ROUTER_THREADS Specifies the number of threads for the haproxy router. ROUTER_LOAD_BALANCE_ALGORITHM leastconn load balancing strategy . for routes with multiple endpoints. Available options are source , roundrobin , and leastconn . ROUTE_LABELS A label selector to apply to the routes to watch, empty means all. STATS_PASSWORD The password needed to access router stats (if the router implementation supports it). STATS_PORT Port to expose statistics on (if the router implementation supports it). If not set, stats are not exposed. STATS_USERNAME The user name needed to access router stats (if the router implementation supports it). TEMPLATE_FILE /var/lib/haproxy/conf/custom/ haproxy-config-custom.template The path to the HAProxy template file (in the container image). ROUTER_USE_PROXY_PROTOCOL When set to true or TRUE , HAProxy expects incoming connections to use the PROXY protocol on port 80 or port 443. The source IP address can pass through a load balancer if the load balancer supports the protocol, for example Amazon ELB. ROUTER_ALLOW_WILDCARD_ROUTES When set to true or TRUE , any routes with a wildcard policy of Subdomain that pass the router admission checks will be serviced by the HAProxy router. ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK Set to true to relax the namespace ownership policy. ROUTER_STRICT_SNI strict-sni ROUTER_CIPHERS intermediate Specify the set of ciphers supported by bind. ROUTER_HAPROXY_CONFIG_MANAGER When set to true or TRUE , enables a dynamic configuration manager with HAproxy, which can manage certain types of routes and reduce the amount of HAproxy router reloads. See Using the Dynamic Configuration Manager for more information. COMMIT_INTERVAL Specifies how often to commit changes made with the dynamic configuration manager. This causes the underlying template router implementation to reload the configuration. ROUTER_BLUEPRINT_ROUTE_NAMESPACE Set to the namespace that contain the routes that serve as blueprints for the dynamic configuration manager. This allows the dynamic configuration manager to support custom routes with any custom annotations, certificates, or configuration files. ROUTER_BLUEPRINT_ROUTE_LABELS Set to a label selector to apply to the routes in the blueprint route namespace. This allows you to specify the routes in a namespace that can serve as blueprints for the dynamic configuration manager. ROUTER_BLUEPRINT_ROUTE_POOL_SIZE Specifies the size of the pre-allocated pool for each route blueprint that is managed by the dynamic configuration manager. This can be overriden on an individual route basis using the router.openshift.io/pool-size annotation on any blueprint route. ROUTER_MAX_DYNAMIC_SERVERS Specifies the maximum number of dynamic servers added to each route for use by the dynamic configuration manager. If you want to run multiple routers on the same machine, you must change the ports that the router is listening on, ROUTER_SERVICE_SNI_PORT and ROUTER_SERVICE_NO_SNI_PORT . These ports can be anything you want as long as they are unique on the machine. These ports will not be exposed externally. Router timeout variables TimeUnits are represented by a number followed by the unit: us *(microseconds), ms (milliseconds, default), s (seconds), m (minutes), h *(hours), d (days). The regular expression is: [1-9][0-9]*(us\|ms\|s\|m\|h\|d) ROUTER_BACKEND_CHECK_INTERVAL 5000ms Length of time between subsequent liveness checks on backends. ROUTER_CLIENT_FIN_TIMEOUT Controls the TCP FIN timeout period for the client connecting to the route. If the FIN sent to close the connection is not answered within the given time, HAProxy will close the connection. This is harmless if set to a low value and uses fewer resources on the router. ROUTER_DEFAULT_CLIENT_TIMEOUT Length of time that a client has to acknowledge or send data. ROUTER_DEFAULT_CONNECT_TIMEOUT The maximum connect time. ROUTER_DEFAULT_SERVER_FIN_TIMEOUT Controls the TCP FIN timeout from the router to the pod backing the route. ROUTER_DEFAULT_SERVER_TIMEOUT Length of time that a server has to acknowledge or send data. ROUTER_DEFAULT_TUNNEL_TIMEOUT Length of time for TCP or WebSocket connections to remain open. If you have websockets/tcp connections (and any time HAProxy is reloaded), the old HAProxy processes will stay for that period. ROUTER_SLOWLORIS_HTTP_KEEPALIVE Set the maximum time to wait for a new HTTP request to appear. If this is set too low, it can cause problems with browsers and applications not expecting a small keepalive value. Additive. See note box below for more information. ROUTER_SLOWLORIS_TIMEOUT Length of time the transmission of an HTTP request can take. RELOAD_INTERVAL The minimum frequency the router is allowed to reload to accept new changes. ROUTER_METRICS_HAPROXY_TIMEOUT Timeout for the gathering of HAProxy metrics. Some effective timeout values can be the sum of certain variables, rather than the specific expected timeout. For example: ROUTER_SLOWLORIS_HTTP_KEEPALIVE adjusts timeout http-keep-alive , and is set to 300s by default, but haproxy also waits on tcp-request inspect-delay , which is set to 5s . In this case, the overall timeout would be 300s plus 5s .

$ oc adm router --strict-sni

5.7.8. Router Cipher Suite

Each client (for example, Chrome 30, or Java8) includes a suite of ciphers used to securely connect with the router. The router must have at least one of the ciphers for the connection to be complete:

Table 5.3. Router Cipher Profiles

Profile

Oldest compatible client

modern Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8 intermediate Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 Windows XP IE6, Java 6 See the Security/Server Side TLS reference guide for more information. By default, the router selects the intermediate profile and sets ciphers based on this profile. When a profile is selected, only the ciphers are set. The TLS version is not governed by the profile. You can select a different profile by using the --ciphers option when creating a router, or by changing the ROUTER_CIPHERS environment variable with the values modern , intermediate , or old for an existing router. Alternatively, a set of ":" separated ciphers can be provided. The ciphers must be from the set displayed by: openssl ciphers 5.7.9. Route Host Names In order for services to be exposed externally, an OpenShift Container Platform route allows you to associate a service with an externally-reachable host name. This edge host name is then used to route traffic to the service. When multiple routes from different namespaces claim the same host, the oldest route wins and claims it for the namespace. If additional routes with different path fields are defined in the same namespace, those paths are added. If multiple routes with the same path are used, the oldest takes priority. A consequence of this behavior is that if you have two routes for a host name: an older one and a newer one. If someone else has a route for the same host name that they created between when you created the other two routes, then if you delete your older route, your claim to the host name will no longer be in effect. The other namespace now claims the host name and your claim is lost. A Route with a Specified Host: apiVersion: v1 kind: Route metadata: name: host-route spec: host: www.example.com 1 kind: Service name: service-name Specifies the externally-reachable host name used to expose a service. A Route Without a Host: apiVersion: v1 kind: Route metadata: name: no-route-hostname spec: kind: Service name: service-name If a host name is not provided as part of the route definition, then OpenShift Container Platform automatically generates one for you. The generated host name is of the form: <route-name>[-<namespace>].<suffix> The following example shows the OpenShift Container Platform-generated host name for the above configuration of a route without a host added to a namespace mynamespace : Generated Host Name no-route-hostname-mynamespace.router.default.svc.cluster.local 1 The generated host name suffix is the default routing subdomain router.default.svc.cluster.local . A cluster administrator can also customize the suffix used as the default routing subdomain for their environment. 5.7.10. Route Types Routes can be either secured or unsecured. Secure routes provide the ability to use several types of TLS termination to serve certificates to the client. Routers support edge , passthrough , and re-encryption termination. Unsecured Route Object YAML Definition apiVersion: v1 kind: Route metadata: name: route-unsecured spec: host: www.example.com kind: Service name: service-name Unsecured routes are simplest to configure, as they require no key or certificates, but secured routes offer security for connections to remain private. A secured route is one that specifies the TLS termination of the route. The available types of termination are described below . 5.7.10.1. Path Based Routes Path based routes specify a path component that can be compared against a URL (which requires that the traffic for the route be HTTP based) such that multiple routes can be served using the same host name, each with a different path. Routers should match routes based on the most specific path to the least; however, this depends on the router implementation. The host name and path are passed through to the backend server so it should be able to successfully answer requests for them. For example: a request to http://example.com/foo/ that goes to the router will result in a pod seeing a request to http://example.com/foo/ . The following table shows example routes and their accessibility: Table 5.4. Route Availability Route When Compared to Accessible www.example.com/test www.example.com/test www.example.com www.example.com/test and www.example.com www.example.com/test www.example.com www.example.com www.example.com/test Yes (Matched by the host, not the route) www.example.com An Unsecured Route with a Path: apiVersion: v1 kind: Route metadata: name: route-unsecured spec: host: www.example.com path: "/test" 1 kind: Service name: service-name The path is the only added attribute for a path-based route. Path-based routing is not available when using passthrough TLS, as the router does not terminate TLS in that case and cannot read the contents of the request. 5.7.10.2. Secured Routes Secured routes specify the TLS termination of the route and, optionally, provide a key and certificate(s). TLS termination in OpenShift Container Platform relies on SNI for serving custom certificates. Any non-SNI traffic received on port 443 is handled with TLS termination and a default certificate (which may not match the requested host name, resulting in validation errors). Secured routes can use any of the following three types of secure TLS termination. Edge Termination With edge termination, TLS termination occurs at the router, prior to proxying traffic to its destination. TLS certificates are served by the front end of the router, so they must be configured into the route, otherwise the router’s default certificate will be used for TLS termination. A Secured Route Using Edge Termination apiVersion: v1 kind: Route metadata: name: route-edge-secured 1 spec: host: www.example.com kind: Service name: service-name 2 termination: edge 3 key: |- 4 -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- certificate: |- 5 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificate: |- 6 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- The name of the object, which is limited to 63 characters. The termination field is edge for edge termination. The key field is the contents of the PEM format key file. The certificate field is the contents of the PEM format certificate file. An optional CA certificate may be required to establish a certificate chain for validation. Because TLS is terminated at the router, connections from the router to the endpoints over the internal network are not encrypted. Edge-terminated routes can specify an insecureEdgeTerminationPolicy that enables traffic on insecure schemes ( HTTP ) to be disabled, allowed or redirected. The allowed values for insecureEdgeTerminationPolicy are: None or empty (for disabled), Allow or Redirect . The default insecureEdgeTerminationPolicy is to disable traffic on the insecure scheme. A common use case is to allow content to be served via a secure scheme but serve the assets (example images, stylesheets and javascript) via the insecure scheme. A Secured Route Using Edge Termination Allowing HTTP Traffic apiVersion: v1 kind: Route metadata: name: route-edge-secured-allow-insecure 1 spec: host: www.example.com kind: Service name: service-name 2 termination: edge 3 insecureEdgeTerminationPolicy: Allow 4 [ ... ] The name of the object, which is limited to 63 characters. The termination field is edge for edge termination. The insecure policy to allow requests sent on an insecure scheme HTTP . A Secured Route Using Edge Termination Redirecting HTTP Traffic to HTTPS apiVersion: v1 kind: Route metadata: name: route-edge-secured-redirect-insecure 1 spec: host: www.example.com kind: Service name: service-name 2 termination: edge 3 insecureEdgeTerminationPolicy: Redirect 4 [ ... ] The name of the object, which is limited to 63 characters. The termination field is edge for edge termination. The insecure policy to redirect requests sent on an insecure scheme HTTP to a secure scheme HTTPS . Passthrough Termination With passthrough termination, encrypted traffic is sent straight to the destination without the router providing TLS termination. Therefore no key or certificate is required. A Secured Route Using Passthrough Termination apiVersion: v1 kind: Route metadata: name: route-passthrough-secured 1 spec: host: www.example.com kind: Service name: service-name 2 termination: passthrough 3 The name of the object, which is limited to 63 characters. The termination field is set to passthrough . No other encryption fields are needed. The destination pod is responsible for serving certificates for the traffic at the endpoint. This is currently the only method that can support requiring client certificates (also known as two-way authentication). Passthrough routes can also have an insecureEdgeTerminationPolicy . The only valid values are None (or empty, for disabled) or Redirect . Re-encryption Termination Re-encryption is a variation on edge termination where the router terminates TLS with a certificate, then re-encrypts its connection to the endpoint which may have a different certificate. Therefore the full path of the connection is encrypted, even over the internal network. The router uses health checks to determine the authenticity of the host. A Secured Route Using Re-Encrypt Termination apiVersion: v1 kind: Route metadata: name: route-pt-secured 1 spec: host: www.example.com kind: Service name: service-name 2 termination: reencrypt 3 key: [as in edge termination] certificate: [as in edge termination] caCertificate: [as in edge termination] destinationCACertificate: |- 4 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- The name of the object, which is limited to 63 characters. The termination field is set to reencrypt . Other fields are as in edge termination. Required for re-encryption. destinationCACertificate specifies a CA certificate to validate the endpoint certificate, securing the connection from the router to the destination pods. If the service is using a service signing certificate, or the administrator has specified a default CA certificate for the router and the service has a certificate signed by that CA, this field can be omitted. If the destinationCACertificate field is left empty, the router automatically leverages the certificate authority that is generated for service serving certificates, and is injected into every pod as /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt . This allows new routes that leverage end-to-end encryption without having to generate a certificate for the route. This is useful for custom routers or the F5 router, which might not allow the destinationCACertificate unless the administrator has allowed it. Re-encrypt routes can have an insecureEdgeTerminationPolicy with all of the same values as edge-terminated routes. 5.7.11. Router Sharding In OpenShift Container Platform, each route can have any number of labels in its metadata field. A router uses selectors (also known as a selection expression ) to select a subset of routes from the entire pool of routes to serve. A selection expression can also involve labels on the route’s namespace. The selected routes form a router shard . You can create and modify router shards independently from the routes, themselves. This design supports traditional sharding as well as overlapped sharding. In traditional sharding, the selection results in no overlapping sets and a route belongs to exactly one shard. In overlapped sharding, the selection results in overlapping sets and a route can belong to many different shards. For example, a single route may belong to a SLA=high shard (but not SLA=medium or SLA=low shards), as well as a geo=west shard (but not a geo=east shard). Another example of overlapped sharding is a set of routers that select based on namespace of the route: Router Selection Namespaces router-1 A* — J* A* , B* , C* , D* , E* , F* , G* , H* , I* , J* router-2 K* — T* K* , L* , M* , N* , O* , P* , Q* , R* , S* , T* router-3 Q* — Z* Q* , R* , S* , T* , U* , V* , W* , X* , Y* , Z* Both router-2 and router-3 serve routes that are in the namespaces Q* , R* , S* , T* . To change this example from overlapped to traditional sharding, we could change the selection of router-2 to K* — P* , which would eliminate the overlap. When routers are sharded, a given route is bound to zero or more routers in the group. The route binding ensures uniqueness of the route across the shard. Uniqueness allows secure and non-secure versions of the same route to exist within a single shard. This implies that routes now have a visible life cycle that moves from created to bound to active. In the sharded environment the first route to hit the shard reserves the right to exist there indefinitely, even across restarts. During a green/blue deployment a route may be selected in multiple routers. An OpenShift Container Platform application administrator may wish to bleed traffic from one version of the application to another and then turn off the old version. Sharding can be done by the administrator at a cluster level and by the user at a project/namespace level. When namespace labels are used, the service account for the router must have cluster-reader permission to permit the router to access the labels in the namespace. For two or more routes that claim the same host name, the resolution order is based on the age of the route and the oldest route would win the claim to that host. In the case of sharded routers, routes are selected based on their labels matching the router’s selection criteria. There is no consistent way to determine when labels are added to a route. So if an older route claiming an existing host name is "re-labelled" to match the router’s selection criteria, it will replace the existing route based on the above mentioned resolution order (oldest route wins). 5.7.12. Alternate Backends and Weights A route is usually associated with one service through the to: token with kind: Service . All of the requests to the route are handled by endpoints in the service based on the load balancing strategy . It is possible to have as many as four services supporting the route. The portion of requests that are handled by each service is governed by the service weight . The first service is entered using the to: token as before, and up to three additional services can be entered using the alternateBackend: token. Each service must be kind: Service which is the default. Each service has a weight associated with it. The portion of requests handled by the service is weight / sum_of_all_weights . When a service has more than one endpoint, the service’s weight is distributed among the endpoints with each endpoint getting at least 1. If the service weight is 0 each of the service’s endpoints will get 0. The weight must be in the range 0-256. The default is 100. When the weight is 0, the service does not participate in load-balancing but continues to serve existing persistent connections. When using alternateBackends also use the roundrobin load balancing strategy to ensure requests are distributed as expected to the services based on weight . roundrobin can be set for a route using a route annotation , or for the router in general using an environment variable. The following is an example route configuration using alternate backends for A/B deployments . A Route with alternateBackends and weights: apiVersion: v1 kind: Route metadata: name: route-alternate-service annotations: haproxy.router.openshift.io/balance: roundrobin 1 spec: host: www.example.com kind: Service name: service-name 2 weight: 20 3 alternateBackends: - kind: Service name: service-name2 4 weight: 10 5 - kind: Service name: service-name3 6 weight: 10 7 This route uses roundrobin load balancing strategy . The first service name is service-name which may have 0 or more pods The alternateBackend services may also have 0 or more pods 3 5 7 The total weight is 40. service-name will get 20/40 or 1/2 of the requests, service-name2 and service-name3 will each get 1/4 of the requests, assuming each service has 1 or more endpoints. 5.7.13. Route-specific Annotations Using environment variables, a router can set the default options for all the routes it exposes. An individual route can override some of these defaults by providing specific configurations in its annotations. Route Annotations For all the items outlined in this section, you can set annotations on the route definition for the route to alter its configuration Table 5.5. Route Annotations Variable Description Environment Variable Used as Default haproxy.router.openshift.io/balance Sets the load-balancing algorithm. Available options are source , roundrobin , and leastconn . ROUTER_TCP_BALANCE_SCHEME for passthrough routes. Otherwise, use ROUTER_LOAD_BALANCE_ALGORITHM . haproxy.router.openshift.io/disable_cookies Disables the use of cookies to track related connections. If set to true or TRUE , the balance algorithm is used to choose which back-end serves connections for each incoming HTTP request. router.openshift.io/cookie_name Specifies an optional cookie to use for this route. The name must consist of any combination of upper and lower case letters, digits, "_", and "-". The default is the hashed internal key name for the route. haproxy.router.openshift.io/pod-concurrent-connections Sets the maximum number of connections that are allowed to a backing pod from a router. Note: if there are multiple pods, each can have this many connections. But if you have multiple routers, there is no coordination among them, each may connect this many times. If not set, or set to 0, there is no limit. haproxy.router.openshift.io/rate-limit-connections Setting true or TRUE to enables rate limiting functionality. haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp Limits the number of concurrent TCP connections shared by an IP address. haproxy.router.openshift.io/rate-limit-connections.rate-http Limits the rate at which an IP address can make HTTP requests. haproxy.router.openshift.io/rate-limit-connections.rate-tcp Limits the rate at which an IP address can make TCP connections. haproxy.router.openshift.io/timeout Sets a server-side timeout for the route. (TimeUnits) ROUTER_DEFAULT_SERVER_TIMEOUT router.openshift.io/haproxy.health.check.interval Sets the interval for the back-end health checks. (TimeUnits) ROUTER_BACKEND_CHECK_INTERVAL haproxy.router.openshift.io/ip_whitelist Sets a whitelist for the route. haproxy.router.openshift.io/hsts_header Sets a Strict-Transport-Security header for the edge terminated or re-encrypt route. router.openshift.io/cookie-same-site Sets a value to restrict cookies. The values are: Lax : cookies are transferred between the visited site and third-party sites. Strict : cookies are restricted to the visited site. None : cookies are restricted to the visited site. This value is applicable to re-encrypt and edge routes only. For more information, see the SameSite cookies documentation . A Route Setting Custom Timeout apiVersion: v1 kind: Route metadata: annotations: haproxy.router.openshift.io/timeout: 5500ms 1 [...] Specifies the new timeout with HAProxy supported units (us, ms, s, m, h, d). If unit not provided, ms is the default. Setting a server-side timeout value for passthrough routes too low can cause WebSocket connections to timeout frequently on that route. 5.7.14. Route-specific IP Whitelists You can restrict access to a route to a select set of IP addresses by adding the haproxy.router.openshift.io/ip_whitelist annotation on the route. The whitelist is a space-separated list of IP addresses and/or CIDRs for the approved source addresses. Requests from IP addresses that are not in the whitelist are dropped. Some examples: When editing a route, add the following annotation to define the desired source IP’s. Alternatively, use oc annotate route <name> . Allow only one specific IP address: metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 Allow several IP addresses: metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12 Allow an IP CIDR network: metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 192.168.1.0/24 Allow mixed IP addresses and IP CIDR networks: metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 180.5.61.153 192.168.1.0/24 10.0.0.0/8 5.7.15. Creating Routes Specifying a Wildcard Subdomain Policy A wildcard policy allows a user to define a route that covers all hosts within a domain (when the router is configured to allow it). A route can specify a wildcard policy as part of its configuration using the wildcardPolicy field. Any routers run with a policy allowing wildcard routes will expose the route appropriately based on the wildcard policy. Learn how to configure HAProxy routers to allow wildcard routes . A Route Specifying a Subdomain WildcardPolicy apiVersion: v1 kind: Route spec: host: wildcard.example.com 1 wildcardPolicy: Subdomain 2 kind: Service name: service-name Specifies the externally reachable host name used to expose a service. Specifies that the externally reachable host name should allow all hosts in the subdomain example.com . *.example.com is the subdomain for host name wildcard.example.com to reach the exposed service. 5.7.16. Route Status The route status field is only set by routers. If changes are made to a route so that a router no longer serves a specific route, the status becomes stale. The routers do not clear the route status field. To remove the stale entries in the route status, use the clear-route-status script . 5.7.17. Denying or Allowing Certain Domains in Routes A router can be configured to deny or allow a specific subset of domains from the host names in a route using the ROUTER_DENIED_DOMAINS and ROUTER_ALLOWED_DOMAINS environment variables. ROUTER_DENIED_DOMAINS Domains listed are not allowed in any indicated routes. ROUTER_ALLOWED_DOMAINS Only the domains listed are allowed in any indicated routes. The domains in the list of denied domains take precedence over the list of allowed domains. Meaning OpenShift Container Platform first checks the deny list (if applicable), and if the host name is not in the list of denied domains, it then checks the list of allowed domains. However, the list of allowed domains is more restrictive, and ensures that the router only admits routes with hosts that belong to that list. For example, to deny the [*.]open.header.test , [*.]openshift.org and [*.]block.it routes for the myrouter route, run the following two commands: $ oc adm router myrouter ... $ oc set env dc/myrouter ROUTER_DENIED_DOMAINS="open.header.test, openshift.org, block.it" This means that myrouter will admit the following based on the route’s name: $ oc expose service/<name> --hostname="foo.header.test" $ oc expose service/<name> --hostname="www.allow.it" $ oc expose service/<name> --hostname="www.openshift.test" However, myrouter will deny the following: $ oc expose service/<name> --hostname="open.header.test" $ oc expose service/<name> --hostname="www.open.header.test" $ oc expose service/<name> --hostname="block.it" $ oc expose service/<name> --hostname="franco.baresi.block.it" $ oc expose service/<name> --hostname="openshift.org" $ oc expose service/<name> --hostname="api.openshift.org" Alternatively, to block any routes where the host name is not set to [*.]stickshift.org or [*.]kates.net , run the following two commands: $ oc adm router myrouter ... $ oc set env dc/myrouter ROUTER_ALLOWED_DOMAINS="stickshift.org, kates.net" This means that the myrouter router will admit: $ oc expose service/<name> --hostname="stickshift.org" $ oc expose service/<name> --hostname="www.stickshift.org" $ oc expose service/<name> --hostname="kates.net" $ oc expose service/<name> --hostname="api.kates.net" $ oc expose service/<name> --hostname="erno.r.kube.kates.net" However, myrouter will deny the following: $ oc expose service/<name> --hostname="www.open.header.test" $ oc expose service/<name> --hostname="drive.ottomatic.org" $ oc expose service/<name> --hostname="www.wayless.com" $ oc expose service/<name> --hostname="www.deny.it" To implement both scenarios, run the following two commands: $ oc adm router adrouter ... $ oc set env dc/adrouter ROUTER_ALLOWED_DOMAINS="okd.io, kates.net" \ ROUTER_DENIED_DOMAINS="ops.openshift.org, metrics.kates.net" This will allow any routes where the host name is set to [*.]openshift.org or [*.]kates.net , and not allow any routes where the host name is set to [*.]ops.openshift.org or [*.]metrics.kates.net . Therefore, the following will be denied: $ oc expose service/<name> --hostname="www.open.header.test" $ oc expose service/<name> --hostname="ops.openshift.org" $ oc expose service/<name> --hostname="log.ops.openshift.org" $ oc expose service/<name> --hostname="www.block.it" $ oc expose service/<name> --hostname="metrics.kates.net" $ oc expose service/<name> --hostname="int.metrics.kates.net" However, the following will be allowed: $ oc expose service/<name> --hostname="openshift.org" $ oc expose service/<name> --hostname="api.openshift.org" $ oc expose service/<name> --hostname="m.api.openshift.org" $ oc expose service/<name> --hostname="kates.net" $ oc expose service/<name> --hostname="api.kates.net" 5.7.18. Support for Kubernetes ingress objects The Kubernetes ingress object is a configuration object determining how inbound connections reach internal services. OpenShift Container Platform has support for these objects using a ingress controller configuration file. This controller watches ingress objects and creates one or more routes to satisfy the conditions of the ingress object. The controller is also responsible for keeping the ingress object and generated route objects synchronized. This includes giving generated routes permissions on the secrets associated with the ingress object. For example, an ingress object configured as: kind: Ingress apiVersion: extensions/v1beta1 metadata: name: test spec: rules: - host: test.com http: paths: - path: /test backend: serviceName: test-1 servicePort: 80 generates the following route object: kind: Route apiVersion: route.openshift.io/v1 metadata: name: test-a34th 1 ownerReferences: - apiVersion: extensions/v1beta1 kind: Ingress name: test controller: true spec: host: test.com path: /test name: test-1 port: targetPort: 80 1 The name is generated by the route objects, with the ingress name as a prefix. In order for a route to be created, an ingress object must have a host, service, and path. 5.7.19. Disabling the Namespace Ownership Check Hosts and subdomains are owned by the namespace of the route that first makes the claim. Other routes created in the namespace can make claims on the subdomain. All other namespaces are prevented from making claims on the claimed hosts and subdomains. The namespace that owns the host also owns all paths associated with the host, for example www.abc.xyz/path1 . For example, if the host www.abc.xyz is not claimed by any route. Creating route r1 with host www.abc.xyz in namespace ns1 makes namespace ns1 the owner of host www.abc.xyz and subdomain abc.xyz for wildcard routes. If another namespace, ns2 , tries to create a route with say a different path www.abc.xyz/path1/path2 , it would fail because a route in another namespace ( ns1 in this case) owns that host. With wildcard routes the namespace that owns the subdomain owns all hosts in the subdomain. If a namespace owns subdomain abc.xyz as in the above example, another namespace cannot claim z.abc.xyz . By disabling the namespace ownership rules, you can disable these restrictions and allow hosts (and subdomains) to be claimed across namespaces. Warning If you decide to disable the namespace ownership checks in your router, be aware that this allows end users to claim ownership of hosts across namespaces. While this change can be desirable in certain development environments, use this feature with caution in production environments, and ensure that your cluster policy has locked down untrusted end users from creating routes. For example, with ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true , if namespace ns1 creates the oldest route r1 www.abc.xyz , it owns only the hostname (+ path). Another namespace can create a wildcard route even though it does not have the oldest route in that subdomain ( abc.xyz ) and we could potentially have other namespaces claiming other non-wildcard overlapping hosts (for example, foo.abc.xyz , bar.abc.xyz , baz.abc.xyz ) and their claims would be granted. Any other namespace (for example, ns2 ) can now create a route r2 www.abc.xyz/p1/p2 , and it would be admitted. Similarly another namespace ( ns3 ) can also create a route wildthing.abc.xyz with a subdomain wildcard policy and it can own the wildcard. As this example demonstrates, the policy ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true is more lax and allows claims across namespaces. The only time the router would reject a route with the namespace ownership disabled is if the host+path is already claimed. For example, if a new route rx tries to claim www.abc.xyz/p1/p2 , it would be rejected as route r2 owns that host+path combination. This is true whether route rx is in the same namespace or other namespace since the exact host+path is already claimed. This feature can be set during router creation or by setting an environment variable in the router’s deployment configuration. Set During Router Creation $ oc adm router ... --disable-namespace-ownership-check=true Set Environment Variable in Router Deployment Configuration $ oc set env dc/router ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true Chapter 6. Service Catalog Components 6.1. Service Catalog 6.1.1. Overview When developing microservices-based applications to run on cloud native platforms, there are many ways to provision different resources and share their coordinates, credentials, and configuration, depending on the service provider and the platform. To give developers a more seamless experience, OpenShift Container Platform includes a service catalog , an implementation of the Open Service Broker API (OSB API) for Kubernetes. This allows users to connect any of their applications deployed in OpenShift Container Platform to a wide variety of service brokers. The service catalog allows cluster administrators to integrate multiple platforms using a single API specification. The OpenShift Container Platform web console displays the cluster service classes offered by service brokers in the service catalog, allowing users to discover and instantiate those services for use with their applications. As a result, service users benefit from ease and consistency of use across different types of services from different providers, while service providers benefit from having one integration point that gives them access to multiple platforms. 6.1.2. Design The design of the service catalog follows this basic workflow: New terms in the following are defined further in Concepts and Terminology . A cluster administrator registers one or more cluster service brokers with their OpenShift Container Platform cluster. This can be done automatically during installation for some default-provided service brokers or manually. Each service broker specifies a set of cluster service classes and variations of those services ( service plans ) to OpenShift Container Platform that should be made available to users. Using the OpenShift Container Platform web console or CLI, users discover the services that are available. For example, a cluster service class may be available that is a database-as-a-service called BestDataBase. A user chooses a cluster service class and requests a new instance of their own. For example, a service instance may be a BestDataBase instance named my_db . A user links, or binds , their service instance to a set of pods (their application). For example, the my_db service instance may be bound to the user’s application called my_app . When a user makes a request to provision or deprovision a resource, the request is made to the service catalog, which then sends a request to the appropriate cluster service broker. With some services, some operations such as provision , deprovision , and update are expected to take some time to fulfill. If the cluster service broker is unavailable, the service catalog will continue to retry the operation. This infrastructure allows a loose coupling between applications running in OpenShift Container Platform and the services they use. This allows the application that uses those services to focus on its own business logic while leaving the management of these services to the provider. 6.1.2.1. Deleting Resources When a user is done with a service (or perhaps no longer wishes to be billed), the service instance can be deleted. In order to delete the service instance, the service bindings must be removed first. Deleting the service bindings is known as unbinding . Part of the deletion process includes deleting the secret that references the service binding being deleted. Once all the service bindings are removed, the service instance may be deleted. Deleting the service instance is known as deprovisioning . If a project or namespace containing service bindings and service instances is deleted, the service catalog must first request the cluster service broker to delete the associated instances and bindings. This is expected to delay the actual deletion of the project or namespace since the service catalog must communicate with cluster service brokers and wait for them to perform their deprovisioning work. In normal circumstances, this may take several minutes or longer depending on the service. If you delete a service binding used by a deployment, you must also remove any references to the binding secret from the deployment. Otherwise, the next rollout will fail. 6.1.3. Concepts and Terminology Cluster Service Broker A cluster service broker is a server that conforms to the OSB API specification and manages a set of one or more services. The software could be hosted within your own OpenShift Container Platform cluster or elsewhere. Cluster administrators can create ClusterServiceBroker API resources representing cluster service brokers and register them with their OpenShift Container Platform cluster. This allows cluster administrators to make new types of managed services using that cluster service broker available within their cluster. A ClusterServiceBroker resource specifies connection details for a cluster service broker and the set of services (and variations of those services) to OpenShift Container Platform that should then be made available to users. Of special note is the authInfo section, which contains the data used to authenticate with the cluster service broker. Example ClusterServiceBroker Resource apiVersion: servicecatalog.k8s.io/v1beta1 kind: ClusterServiceBroker metadata: name: BestCompanySaaS spec: url: http://bestdatabase.example.com authInfo: basic: secretRef: namespace: test-ns name: secret-name Cluster Service Class Also synonymous with "service" in the context of the service catalog, a cluster service class is a type of managed service offered by a particular cluster service broker. Each time a new cluster service broker resource is added to the cluster, the service catalog controller connects to the corresponding cluster service broker to obtain a list of service offerings. A new ClusterServiceClass resource is automatically created for each. OpenShift Container Platform also has a core concept called services , which are separate Kubernetes resources related to internal load balancing. These resources are not to be confused with how the term is used in the context of the service catalog and OSB API. Example ClusterServiceClass Resource apiVersion: servicecatalog.k8s.io/v1beta1 kind: ClusterServiceClass metadata: name: smallDB brokerName: BestDataBase plans: [...] Cluster Service Plan A cluster service plan represents tiers of a cluster service class. For example, a cluster service class may expose a set of plans that offer varying degrees of quality-of-service (QoS), each with a different cost associated with it. Service Instance A service instance is a provisioned instance of a cluster service class. When a user wants to use the capability provided by a service class, they can create a new service instance. When a new ServiceInstance resource is created, the service catalog controller connects to the appropriate cluster service broker and instructs it to provision the service instance. Example ServiceInstance Resource apiVersion: servicecatalog.k8s.io/v1beta1 kind: ServiceInstance metadata: name: my_db namespace: test-ns spec: externalClusterServiceClassName: smallDB externalClusterServicePlanName: default Application The term application refers to the OpenShift Container Platform deployment artifacts, for example pods running in a user’s project, that will use a service instance . Credentials Credentials are information needed by an application to communicate with a service instance. Service Binding A service binding is a link between a service instance and an application. These are created by cluster users who wish for their applications to reference and use a service instance. Upon creation, the service catalog controller creates a Kubernetes secret containing connection details and credentials for the service instance. Such secrets can be mounted into pods as usual. Example ServiceBinding Resource apiVersion: servicecatalog.k8s.io/v1beta1 kind: ServiceBinding metadata: name: myBinding namespace: test-ns spec: instanceRef: name: my_db parameters: securityLevel: confidential secretName: mySecret Users should not use the web console to change the prefix of environment variables for instantiated instances, as it can cause application routes to become inaccessible. Parameters A parameter is a special field available to pass additional data to the cluster service broker when using either service bindings or service instances. The only formatting requirement is for the parameters to be valid YAML (or JSON). In the above example, a security level parameter is passed to the cluster service broker in the service binding request. For parameters that need more security, place them in a secret and reference them using parametersFrom . Example Service Binding Resource Referencing a Secret apiVersion: servicecatalog.k8s.io/v1beta1 kind: ServiceBinding metadata: name: myBinding namespace: test-ns spec: instanceRef: name: my_db parametersFrom: - secretKeyRef: name: securityLevel key: myKey secretName: mySecret 6.1.4. Provided Cluster Service Brokers OpenShift Container Platform provides the following cluster service brokers for use with the service catalog. Template Service Broker OpenShift Ansible Broker 6.2. Service catalog command-line interface (CLI) 6.2.1. Overview The basic workflow of interacting with the service catalog is that: The cluster administrator installs and registers a broker server to make available its services. The users use those services by instantiating them in an OpenShift project and linking those service instances to their pods. The Service Catalog command-line interface (CLI) utility called svcat is available to handle these user related tasks. While oc commands can perform the same tasks, you can use svcat for easier interaction with Service Catalog resources. svcat communicates with the Service Catalog API by using the aggregated API endpoint on an OpenShift cluster. 6.2.2. Installing svcat You can install svcat as an RPM by using Red Hat Subscription Management (RHSM) if you have an active OpenShift Enterprise subscription on your Red Hat account: # yum install atomic-enterprise-service-catalog-svcat 6.2.2.1. Considerations for cloud providers Google Compute Engine For Google Cloud Platform, run the following command to setup firewall rules to allow incoming traffic: $ gcloud compute firewall-rules create allow-service-catalog-secure --allow tcp:30443 --description "Allow incoming traffic on 30443 port." 6.2.3. Using svcat This section includes common commands to handle the user associated tasks listed in the service catalog workflow . Use the svcat --help command to get more information and view other available command-line options. The sample output in this section assumes that the Ansible Service Broker is already installed on the cluster. 6.2.3.1. Get broker details You can view a list available brokers, sync the broker catalog, and get details about brokers deployed in the service catalog. 6.2.3.1.1. Find brokers To view all the brokers installed on the cluster: $ svcat get brokers Example Output NAME URL STATUS +-------------------------+-------------------------------------------------------------------------------------------+--------+ ansible-service-broker https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker Ready template-service-broker https://apiserver.openshift-template-service-broker.svc:443/brokers/template.openshift.io Ready 6.2.3.1.2. Sync broker catalog To refresh the catalog metadata from the broker: $ svcat sync broker ansible-service-broker Example Output Synchronization requested for broker: ansible-service-broker 6.2.3.1.3. View broker details To view the details of the broker: $ svcat describe broker ansible-service-broker Example Output Name: ansible-service-broker URL: https://openshift-automation-service-broker.openshift-automation-service-broker.svc:1338/openshift-automation-service-broker/ Status: Ready - Successfully fetched catalog entries from broker @ 2018-06-07 00:32:59 +0000 UTC 6.2.3.2. View service classes and service plans When you create a ClusterServiceBroker resource, the service catalog controller queries the broker server to find all services it offers and creates a service class ( ClusterServiceClass ) for each of those services. Additionally, it also creates service plans ( ClusterServicePlan ) for each of the broker’s services. 6.2.3.2.1. View service classes To view the available ClusterServiceClass resources: $ svcat get classes Example Output NAME DESCRIPTION +-------------------+--------------------------------+ rh-mediawiki-apb Mediawiki apb implementation rh-mariadb-apb Mariadb apb implementation rh-mysql-apb Software Collections MySQL APB rh-postgresql-apb SCL PostgreSQL apb implementation To view details of a service class: $ svcat describe class rh-postgresql-apb Example Output Name: rh-postgresql-apb Description: SCL PostgreSQL apb implementation UUID: d5915e05b253df421efe6e41fb6a66ba Status: Active Tags: database, postgresql Broker: ansible-service-broker Plans: NAME DESCRIPTION +------+--------------------------------+ prod A single DB server with persistent storage dev A single DB server with no storage 6.2.3.2.2. View service plans To view the ClusterServicePlan resources available in the cluster: $ svcat get plans Example Output NAME CLASS DESCRIPTION +---------+-------------------+--------------------------------+ default rh-mediawiki-apb An APB that deploys MediaWiki prod rh-mariadb-apb This plan deploys a single MariaDB instance with 10 GiB of persistent storage dev rh-mariadb-apb This plan deploys a single MariaDB instance with ephemeral storage prod rh-mysql-apb A MySQL server with persistent storage dev rh-mysql-apb A MySQL server with ephemeral storage prod rh-postgresql-apb A single DB server with persistent storage dev rh-postgresql-apb A single DB server with no storage View details of a plan: $ svcat describe plan rh-postgresql-apb/dev Example Output Name: dev Description: A single DB server with no storage UUID: 9783fc2e859f9179833a7dd003baa841 Status: Active Free: true Class: rh-postgresql-apb Instances: No instances defined Instance Create Parameter Schema: $schema: http://json-schema.org/draft-04/schema additionalProperties: false properties: postgresql_database: default: admin pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ title: PostgreSQL Database Name type: string postgresql_password: pattern: ^[a-zA-Z0-9_~!@#$%^&*()-=<>,.?;:|]+$ title: PostgreSQL Password type: string postgresql_user: default: admin maxLength: 63 pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ title: PostgreSQL User type: string postgresql_version: default: "9.6" enum: - "9.6" - "9.5" - "9.4" title: PostgreSQL Version type: string required: - postgresql_database - postgresql_user - postgresql_password - postgresql_version type: object Instance Update Parameter Schema: $schema: http://json-schema.org/draft-04/schema additionalProperties: false properties: postgresql_version: default: "9.6" enum: - "9.6" - "9.5" - "9.4" title: PostgreSQL Version type: string required: - postgresql_version type: object Binding Create Parameter Schema: $schema: http://json-schema.org/draft-04/schema additionalProperties: false type: object 6.2.3.3. Provision services Provisioning means to make the service available for consumption. To provision a service, you need to create a service instance and then bind to it. 6.2.3.3.1. Create ServiceInstance Note Service instances must be created inside an OpenShift namespace. Create a new project. $ oc new-project <project-name> 1 1 Replace <project-name> with the name of your project. Create service instance using the command: $ svcat provision postgresql-instance --class rh-postgresql-apb --plan dev --params-json '{"postgresql_database":"admin","postgresql_password":"admin","postgresql_user":"admin","postgresql_version":"9.6"}' -n szh-project Example Output Name: postgresql-instance Namespace: szh-project Status: Class: rh-postgresql-apb Plan: dev Parameters: postgresql_database: admin postgresql_password: admin postgresql_user: admin postgresql_version: "9.6" 6.2.3.3.1.1. View service instance details To view service instance details: $ svcat get instance Example Output NAME NAMESPACE CLASS PLAN STATUS +---------------------+-------------+-------------------+------+--------+ postgresql-instance szh-project rh-postgresql-apb dev Ready 6.2.3.3.2. Create ServiceBinding When you create a ServiceBinding resource: The service catalog controller communicates with the broker server to initiate the binding. The broker server create credentials and issue them to the service catalog controller. The service catalog controller adds those credentials as secrets to the project. Create the service binding using the command: $ svcat bind postgresql-instance --name mediawiki-postgresql-binding Example Output Name: mediawiki-postgresql-binding Namespace: szh-project Status: Instance: postgresql-instance Parameters: 6.2.3.3.2.1. View service binding details To view service binding details: $ svcat get bindings Example Output NAME NAMESPACE INSTANCE STATUS +------------------------------+-------------+---------------------+--------+ mediawiki-postgresql-binding szh-project postgresql-instance Ready Verify the instance details after binding the service: $ svcat describe instance postgresql-instance Example Output Name: postgresql-instance Namespace: szh-project Status: Ready - The instance was provisioned successfully @ 2018-06-05 08:42:55 +0000 UTC Class: rh-postgresql-apb Plan: dev Parameters: postgresql_database: admin postgresql_password: admin postgresql_user: admin postgresql_version: "9.6" Bindings: NAME STATUS +------------------------------+--------+ mediawiki-postgresql-binding Ready 6.2.4. Deleting resources To delete service catalog related resources, you need to unbind service bindings and deprovision the service instances. 6.2.4.1. Deleting service bindings To delete all service bindings associated with a service instance: $ svcat unbind -n <project-name> 1 \ <instance-name> 2 1 Name of the project that contains the service instance. Name of the service instance associated with the binding. For example: $ svcat unbind -n szh-project postgresql-instance Example Output deleted mediawiki-postgresql-binding Verify that all service bindings are deleted: $ svcat get bindings Example Output NAME NAMESPACE INSTANCE STATUS +------+-----------+----------+--------+ Running this command deletes all service bindings for the instance. For deleting individual bindings from within an instance run the command svcat unbind -n <project-name> --name <binding-name> . For example, svcat unbind -n szh-project --name mediawiki-postgresql-binding . Verify that the associated secret is deleted. $ oc get secret -n szh-project Example Output NAME TYPE DATA AGE builder-dockercfg-jxk48 kubernetes.io/dockercfg 1 9m builder-token-92jrf kubernetes.io/service-account-token 4 9m builder-token-b4sm6 kubernetes.io/service-account-token 4 9m default-dockercfg-cggcr kubernetes.io/dockercfg 1 9m default-token-g4sg7 kubernetes.io/service-account-token 4 9m default-token-hvdpq kubernetes.io/service-account-token 4 9m deployer-dockercfg-wm8th kubernetes.io/dockercfg 1 9m deployer-token-hnk5w kubernetes.io/service-account-token 4 9m deployer-token-xfr7c kubernetes.io/service-account-token 4 9m 6.2.4.2. Deleting service instances To deprovision the service instance: $ svcat deprovision postgresql-instance Example Output deleted postgresql-instance Verify the instance is deleted: $ svcat get instance Example Output NAME NAMESPACE CLASS PLAN STATUS +------+-----------+-------+------+--------+ 6.2.4.3. Deleting service brokers To remove broker services for the service catalog, delete the ClusterServiceBroker resource: $ oc delete clusterservicebrokers template-service-broker Example Output clusterservicebroker "template-service-broker" deleted To view all the brokers installed on the cluster: $ svcat get brokers Example Output NAME URL STATUS +-------------------------+-------------------------------------------------------------------------------------------+--------+ ansible-service-broker https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker Ready View the ClusterServiceClass resources for the broker to verify that the broker is removed: $ svcat get classes Example Output NAME DESCRIPTION +------+-------------+ 6.3. Template Service Broker The template service broker (TSB) gives the service catalog visibility into the default Instant App and Quickstart templates that have shipped with OpenShift Container Platform since its initial release. The TSB can also make available as a service anything for which an OpenShift Container Platform template has been written, whether provided by Red Hat, a cluster administrator or user, or a third party vendor. By default, the TSB shows the objects that are globally available from the openshift project. It can also be configured to watch any other project that a cluster administrator chooses. 6.4. OpenShift Ansible Broker 6.4.1. Overview The OpenShift Ansible broker (OAB) is an implementation of the Open Service Broker (OSB) API that manages applications defined by Ansible playbook bundles (APBs) . APBs provide a new method for defining and distributing container applications in OpenShift Container Platform, consisting of a bundle of Ansible playbooks built into a container image with an Ansible runtime. APBs leverage Ansible to create a standard mechanism for automating complex deployments. The design of the OAB follows this basic workflow: A user requests list of available applications from the service catalog using the OpenShift Container Platform web console. The service catalog requests the OAB for available applications. The OAB communicates with a defined container image registry to learn which APBs are available. The user issues a request to provision a specific APB. The provision request makes its way to the OAB, which fulfills the user’s request by invoking the provision method on the APB. 6.4.2. Ansible Playbook Bundles An Ansible playbook bundle (APB) is a lightweight application definition that allows you to leverage existing investment in Ansible roles and playbooks. APBs use a simple directory with named playbooks to perform OSB API actions, such as provision and bind. Metadata defined in apb.yml spec file contains a list of required and optional parameters for use during deployment. See the APB Development Guide for details on the overall design and how APBs are written. 6.5. AWS Service Broker The AWS Service Broker provides access to Amazon Web Services (AWS) through the OpenShift Container Platform service catalog. AWS services and components can be configured and viewed in both the OpenShift Container Platform web console and the AWS dashboards. Figure 6.1. Example AWS services in the OpenShift Container Platform service catalog For information on installing the AWS Service Broker, see the AWS Service Broker Documentation in the Amazon Web Services - Labs docs repository. The AWS Service Broker is supported and qualified on OpenShift Container Platform. It is offered directly from Amazon as a download and as such, many components of this service broker solution are supported directly by Amazon for the most recent two versions with a lag of two months after a new OpenShift Container Platform release. Red Hat provides support for the installation and troubleshooting of the OpenShift cluster and service catalog issues. Legal Notice The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Modified versions must remove all Red Hat trademarks. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat. Licensed under the Apache License 2.0 . Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners.