OpenShift Network Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 36: Line 36:
==Isolating Projects==
==Isolating Projects==


  [[oadm]] pod-network isolate-projects <''project-1''> <''project-2''> ...
  [[Oadm#Commands|oadm pod-network]] isolate-projects <''project-1''> <''project-2''> ...


As result of executing the command, all pods and services in project-1 and project-2 cannot access any pods and services from other non-global projects in the cluster and vice-versa.
As result of executing the command, all pods and services in project-1 and project-2 cannot access any pods and services from other non-global projects in the cluster and vice-versa.
Line 42: Line 42:
==Joining Projects==
==Joining Projects==


  oadm pod-network join-projects <''project-1-name''> <''project-2-name''> ...
Allow project project2 to use project's project1 network:
 
  [[Oadm#Commands|oadm pod-network]] join-projects --to=<''project1-name''> <''project2-name''>


==Making Projects Global==
==Making Projects Global==


  oadm pod-network make-projects-global <''project-1-name''> <''project-2-name''> ...
  [[Oadm#Commands|oadm pod-network]] make-projects-global <''project1-name''> <''project2-name''> ...


As result of executing the command, all pods and services in project-1 and project-2 can now access any pods and services from other non-global projects in the cluster and vice-versa, becoming  [[OpenShift_Concepts#Global_Project|global]] projects. The command performs a PUT https&#58;//master/oapi/v1/netnamespaces/''<project-name>'' setting the "pod.network.openshift.io/multitenant.change-network:global" annotation, which in fact sets the project's VIND to 0.
As result of executing the command, all pods and services in project1 and project2 can now access any pods and services from other non-global projects in the cluster and vice-versa, becoming  [[OpenShift_Concepts#Global_Project|global]] projects. The command performs a PUT https&#58;//master/oapi/v1/netnamespaces/''<project-name>'' setting the "pod.network.openshift.io/multitenant.change-network:global" annotation, which in fact sets the project's VIND to 0.


=Route Operations=
=Port Forwarding=


==Route Information==
  [[oc port-forward]] -p <''pod-name''> -p <''app-name''> localPort:8787
 
oc get route
 
oc edit route nexus
 
==Expose a Service==
 
  [[oc expose]] service <''service-name''> [--hostname=os.novaordis.io]
 
==Specifying Termination Policy==
 
In some cases, services were not publicly exposed because their route did not have a termination policy. To add a termination policy:
 
oc edit route <''route-name''>


and then
=Deploy a Simple Pod that Allows Arbitrary Commands in a Project=


spec:
{{Internal|OpenShift Simple Pod Running inside an OpenShift Project|Simple Pod Running inside an OpenShift Project}}
  ...
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  ...
 
=Port Forwarding=
 
[[oc port-forward]] -p <''pod-name''> -p <''app-name''> localPort:8787

Latest revision as of 22:02, 8 December 2017

External

Internal

Information about the Network Plugin and the Network Status

oc get clusternetwork

Information about Virtual Networks Assigned to Each Project

Displays the Virtual Network ID (VNID) assigned to each project. It only makes sense for an ovs-multitenant SDN plugin.

oc get netnamespaces
NAME               NETID
default            0
kube-system        11092823
logging            6208947
management-infra   5562275
openshift          8714409
openshift-infra    13183382
pizzaparty-dev     5721085
playground         7804116

For a specific project name:

oc get netnamespaces <project-name>

Pod Network Management

Isolating Projects

oadm pod-network isolate-projects <project-1> <project-2> ...

As result of executing the command, all pods and services in project-1 and project-2 cannot access any pods and services from other non-global projects in the cluster and vice-versa.

Joining Projects

Allow project project2 to use project's project1 network:

oadm pod-network join-projects --to=<project1-name> <project2-name>

Making Projects Global

oadm pod-network make-projects-global <project1-name> <project2-name> ...

As result of executing the command, all pods and services in project1 and project2 can now access any pods and services from other non-global projects in the cluster and vice-versa, becoming global projects. The command performs a PUT https://master/oapi/v1/netnamespaces/<project-name> setting the "pod.network.openshift.io/multitenant.change-network:global" annotation, which in fact sets the project's VIND to 0.

Port Forwarding

oc port-forward -p <pod-name> -p <app-name> localPort:8787

Deploy a Simple Pod that Allows Arbitrary Commands in a Project

Simple Pod Running inside an OpenShift Project