$ oc adm policy add-cluster-role-to-user \
cluster-reader \
system:serviceaccount:default:router
There are many ways to get traffic into the cluster. The most common approach is to use the OpenShift Container Platform router as the ingress point for external traffic destined for services in your OpenShift Container Platform installation.
OpenShift Container Platform provides and supports the following router plug-ins:
The HAProxy template router is the default plug-in. It uses the openshift3/ose-haproxy-router image to run an HAProxy instance alongside the template router plug-in inside a container on OpenShift Container Platform. It currently supports HTTP(S) traffic and TLS-enabled traffic via SNI. The router’s container listens on the host network interface, unlike most containers that listen only on private IPs. The router proxies external requests for route names to the IPs of actual pods identified by the service associated with the route.
The F5 router integrates with an existing F5 BIG-IP® system in your environment to synchronize routes. F5 BIG-IP® version 11.4 or newer is required in order to have the F5 iControl REST API.
|
The F5 router plug-in is available starting in OpenShift Container Platform 3.0.2. |
Before deploying an OpenShift Container Platform cluster, you must have a service account for the router. Starting in OpenShift Container Platform 3.1, a router service account is automatically created during a quick or advanced installation (previously, this required manual creation). This service account has permissions to a security context constraint (SCC) that allows it to specify host ports.
When
namespace labels
are used, for example in creating
router shards,
the service account for the router must have cluster-reader permission.
$ oc adm policy add-cluster-role-to-user \
cluster-reader \
system:serviceaccount:default:router
With a service account in place, you can proceed to installing a default HAProxy Router, a customized HAProxy Router or F5 Router.