Openshift is a cloud-based Kubernetes service from RedHat. OpenShift routes allow access to pods (one or more containers deployed in a cluster) from external resources. In most cases, applications deployed on OpenShift expose external endpoints outside of the cluster through a router.
For example, if yourKubernetes workloadis a web API (or any other interface that external users need to access), you need to provide a path to the specific service or pod in OpenShift to access the required application or service. Each route consists of a name (limited to 63 characters), a service selector, and optional security settings.
To help you better understand the topic, we'll take a closer look at the types of OpenShift routes and the different methods for configuring and troubleshooting them.
OpenShift route types
There are two types of OpenShift routes:
- HTTP routes (non-secure routes)
- HTTPS routes (secure routes)
Let's start by looking at an example of an unsecured route.
OpenShift insecure routes
Insecure routes in OpenShift use plain text HTTP communication. You can create OpenShift routes via the GUI/web console or CLI (command line interface). Next we will see the two methods.
INFOGRAPHIC POSTER
Do you know the 12 risks of Kubernetes resource management?
Kubernetes architects and engineers immediately find value in seeing the spread of resource risks. Download the K8s 12 Risks Resource Poster now!
Download the free infographic poster
How to create an unsecured route using the web console
To create a route using the web console, go to the "Routes" page in the "Application" section. Select the "Create route" option to configure and create the route.
How to create an unsecured route using CLI
Use the following command to create an unsecured route
$oc expose svc/service --hostname=www.example.comThis command exposes the service in the URLwww.ejemplo.com. External users will be redirected to the service calledservicewhen accessing the urlwww.ejemplo.com.
The following is the YAML definition for the unsafe path object:
apiVersion: route.openshift.io/v1 type: route metadata: name: unsafe route specification: host: www.example.com to: type: service name: service nameUnsecured routes are much easier to maintain because they don't require a key or certificate.
Routes based on OpenShift routes
Route-based routes allow you to specify a route within a route. It is then matched against a URL to allow or deny traffic. The traffic for a route-based route must be HTTP-based (not secure). The same hostname can be used to configure multiple routes, each with its own route. The URL is compared to the routes and the most specific route (best match) is chosen. In the case of multiple paths, the comparison will proceed to the next path until the best match is found. This is all configurable and the reference points can be set on the router. The hostname and routes are sent back to the server so that it can successfully respond to your requests.
For example, if the pathwww.ejemplo.com/pruebais matched against the URLwww.ejemplo.com/pruebaallow traffic. However, it will not allow traffic compared to a URL fromwww.ejemplo.com.
On the other hand, if the route www.example.com is compared with the URLwww.ejemplo.com/prueba, it will allow traffic based on the host match and not the route.
Here's the YAML for an unsafe route with a route:
apiVersion: route.openshift.io/v1 type: Route metadata: name: non-secure route specification: host: www.example.com route: "/test" (1) to: type: service name: service name📝 Note: Defining a route is the only additional attribute in route-based routing. Route-based routing is not secure and does not support TLS termination.
To see more examples, visit theOpenShift Route-Based Routing Documentation.
OpenShift secure routes
As the name suggests, secure routes are secured with TLS by providing a key and a certificate. Secure routes offer multiple TLS terminations to deliver certificates to the client. A TLS termination is the process of decrypting encrypted traffic. In OpenShift, TLS termination means terminating the TLS encryption before passing traffic to the required service or pod. The routers support edge termination, passthrough, and new encryption.
TLS termination in OpenShift uses SNI (Server Name Indication). SNI is an extension of the Transport Layer Security (TLS) network protocol. The client indicates which hostname it is trying to connect to at the beginning of the TLS handshake.
Non-SNI traffic routed to the secure port (default 443) receives a default certificate that is unlikely to match the hostname, resulting in an authentication failure.
You can learn more aboutsecure routes in the OpenShift Route documentation.
OpenShift and the SNI communication flow
Below is an overview of an SNI communication flow:
Secure routes can use one of three types of secure TLS termination. The type of termination is determined by where the encryption ends. The three types of termination are:
- edge termination- Ends encryption on the router.
- transfer termination- The termination is passed from the router directly to the pod.
- End of recryption- It's like Edge Termination, but adds encapsulation.
In the following sections, we'll take a closer look at each type of termination.
edge termination
Edge termination ends the encryption on the router. All communication back to the router is secure, and any communication from the router to the endpoints is not. Since the encryption at the edge termination ends at the router, the TLS certificate must be added to the route. If no certificate is specified, the router's default certificate will be used and authentication will likely fail.
The following screenshot shows how edge termination is configured using a GUI. Note that there is an option on the screenshot below to handle "unsafe traffic". Edge termination allows three different ways to handle insecure traffic. It can be blocked, allowed or redirected.
The following command is used to create a secure path with edge termination
$oc create rotation edge --service=safe-edge-path --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=www.example.comObservation: The certificate/key pair must be created in PEM-encoded format and must exist in the path folder before running the above command.
The following is the YAML for a secure route that uses edge termination:
apiVersion: route.openshift.io/v1 type: route metadata: name: secure-edge-route (1) specification: host: www.example.com to: type: service name: secure-edge-route tls: termination: edge (2) key: |- (3) -----START PRIVATE KEY----- [...] -----END PRIVATE KEY----- certificate: |- (4) -- ---START CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificate: |- (5) -----START CERTIFICATE----- [. .. ] -----END OF CERTIFICATE------ O
nameThe field is used to name the object and is limited to 63 characters. - O
terminationthe field isshouldfor edge termination. - O
keyThe field is where the content of the PEM key is entered. - O
certificateThe field is for the content of the certificate in PEM format. cCertificateIt is optional, but you may need to enter the CA (Certificate Authority) certificate for successful authentication.
insecureEdgeTerminationPolicyis the attribute that is used to configure what happens with this type of traffic. The three values that represent the goal discussed above areNoneor empty,To alloworedirect.
The following is the YAML for a secure route that uses edge termination that allows HTTP traffic:
apiVersion: route.openshift.io/v1 type: route metadata: name: route-edge-secured-allow-insecure(1) spec: host: www.example.com to: type: service name: tls service name :termination: edge(2) insecureEdgeTerminationPolicy: Permitir(3) [ ... ]- O
nameThe field is used to name the object and is limited to 63 characters. - O
terminationthe field isshouldfor edge termination. insecureEdgeTerminationPolicyThe field is used to configure what happens with insecure traffic. In the YAML file example above, insecure traffic is allowed.
The following is the YAML for a secure route that uses the edge termination that redirects HTTP traffic to HTTPS:
apiVersion: route.openshift.io/v1 type: Route metadata: name: route-edge-secured-redirect-insecure(1) spec: host: www.example.com to: type: Service name: tls service name : Termination : edge(2) insecureEdgeTerminationPolicy: Redirigir(3) [ ... ]- O
nameThe field is used to name the object and is limited to 63 characters. - O
terminationthe field isshouldfor edge termination. insecureEdgeTerminationPolicyThe field is used to configure what happens with insecure traffic. In the YAML file example above, insecure traffic is redirected to HTTPS.
FAQs
How routes work in OpenShift? ›
A route allows you to host your application at a public URL. It can either be secure or unsecured, depending on the network security configuration of your application. An HTTP-based route is an unsecured route that uses the basic HTTP routing protocol and exposes a service on an unsecured application port.
How do I create an OpenShift route? ›To create a route using the Web Console, navigate to the “Routes” page under the “Application” section. Select the "Create Route" option to configure and create the route. Creating an unsecured route in the OpenShift GUI. (Source).
What is edge vs passthrough route? ›Edge route: The TLS connection is terminated between the client and router service while the connection between the router service and app pod is unencrypted. Passthrough route: The TLS connection doesn't get interrupted from the client to the app pod, and the connection is terminated at the app pod level.
What is difference between service and route in OpenShift? ›While Services provide internal abstraction and load balancing within an OpenShift environment, sometimes clients (users, systems, devices, etc.) outside of OpenShift need to access an application. The way that external clients are able to access applications running in OpenShift is through the OpenShift routing layer.
How does route command work? ›The route command allows you to make manual entries into the network routing tables. The route command distinguishes between routes to hosts and routes to networks by interpreting the network address of the Destination variable, which can be specified either by symbolic name or numeric address.
What are 3 reasons that drive edge networking? ›- Bandwidth. The first reason for edge computing is bandwidth. ...
- Cost. ...
- Reliability. ...
- Security. ...
- Compliance. ...
- Latency.
IoT Edge devices can operate as gateways, providing a connection between other devices on the network and IoT Hub. The IoT Edge hub module acts like IoT Hub, so it can handle connections from other devices that have an identity with the same IoT hub.
What is core routing and edge routing? ›Edge devices characterize and secure IP traffic from other edge routers, as well as core routers. They provide security for the core. By comparison, core routers offer packet forwarding between other core and edge routers and manage traffic to prevent congestion and packet loss.
What is target port in OpenShift route? ›In the context of an OpenShift Service, targetPort is the mapping of the service traffic to the port inside the container. So for example, you might have a service that maps from port 80 on the service/route to port 8080 inside the container.
How do you run a container as a root in OpenShift? ›- oc login -u system:admin -n default. Create a new project where you will be running that in-secure container.
- oc new-project pokemon-prj. ...
- oc adm policy add-scc-to-user anyuid -z default.
What is passthrough route? ›
Creating a passthrough route
With passthrough termination, encrypted traffic is sent straight to the destination without the router providing TLS termination. Therefore no key or certificate is required on the route. Prerequisites. You must have a service that you want to expose.
API, an endpoint and a route are interchangeable but a subtle difference exist. API as in web API world are represented by URI or REST endpoints. Best to understand it from programming analogy.
What is the difference between directly connected routes and remote routes? ›Directly connected routes—These routes come from the active router interfaces. Routers add a directly connected route when an interface is configured with an IP address and is activated. Remote routes—These are remote networks connected to other routers.
What is the difference between switch and routes? ›A router's main objective is to establish a connection between various networks in a simultaneous manner. Also, it works on the network layer. A switch's main objective is to establish a simultaneous connection among various devices. It basically functions on the data link layer.
How do you write a route command? ›- Type route add 0.0. 0.0 mask 0.0. 0.0 <gateway>, where <gateway> is the gateway address listed for network destination 0.0. 0.0 in Activity 1. ...
- Type ping 8.8. 8.8 to test Internet connectivity. The ping should be successful. ...
- Close the command prompt to complete this activity.
- On your computer, open Google Maps.
- Click Directions .
- Add a starting point and a destination.
- On the left, below the destinations you entered, click Add .
- To add a stop, choose another destination. You can add up to 9 stops.
- Click on a route to get the directions.
- To create a route in Google Maps, open "Your places" and then choose "Create Map" in the "Maps" tab.
- To draw a route, click "Add directions," choose transportation mode, and enter start and end points.
- You can draw lines and shapes on maps by clicking "Draw a line" and selecting "Add line or shape."
The three attributes for Route Preference are the Route Specificity, the Administrative Distance, and the Metric. If multiple routes exist and all three of these attributes are identical, the Router will load balance across the available paths.
How are routes planned? ›Route planning is the process of computing the effective method of transportation or transfers through several stops. Basically, the route planning is used to ascertain which route is the most cost-effective when moving from one place to another.
What is the purpose of OpenShift router? ›OpenShift Container Platform routers provide external host name mapping and load balancing of service end points over protocols that pass distinguishing information directly to the router; the host name must be present in the protocol in order for the router to determine where to send it.
How does Kubernetes route traffic? ›
Traffic can be routed to the pods via a Kubernetes service, or it can be routed directly to the pods. When traffic is routed to the pods via a Kubernetes service, Kubernetes uses a built-in mechanism called kube-proxy to load balance traffic between the pods.
What is an easy way to learn routes? ›Going forward, every time you're going to go somewhere and don't know where you're going, study the map and try to connect the new place to any nearby places you already know or routes you've used before. Even if you're going to be using turn-by-turn directions, look at the route on the map before you use them.
What are the different types of routes? ›There are four types of routes. These types are connected route, local route, static route, and dynamic route.
What are examples of route planning? ›Good route planning focuses on delivering packages fast and in the most cost-effective way possible. For example, you might plan routes based on location, putting stops that are in the same neighborhood together. This way, you can target all stops in one area at once — instead of having to complete stop No.
How do you assign a route? ›- Type route add 0.0. 0.0 mask 0.0. 0.0 <gateway>, where <gateway> is the gateway address listed for network destination 0.0. 0.0 in Activity 1. ...
- Type ping 8.8. 8.8 to test Internet connectivity. The ping should be successful. ...
- Close the command prompt to complete this activity.
Routing is the hub around which all of IP connectivity revolves. At the simplest level, routing establishes basic internetwork communications, implements an addressing structure that uniquely identifies each device, and organizes individual devices into a hierarchical network structure.
What is the default router in OpenShift? ›OpenShift Container Platform provides and supports the following router plug-ins: The HAProxy template router is the default plug-in. It uses the openshift3/ose-haproxy-router image to run an HAProxy instance alongside the template router plug-in inside a container on OpenShift Container Platform.
What is the difference between ingress and route? ›Ingress objects are kubernetes native objects, and their contents are defined by the kubernetes project. IngressRoutes are custom resources that are defined by the Traefik team, and expose more complex functionality that Traefik can provide.
What is the difference between loadbalancer and ingress? ›While ingresses and load balancers have a lot of overlap in functionality, they behave differently. The main difference is ingresses are native objects inside the cluster that can route to multiple services, while load balancers are external to the cluster and only route to a single service.
How do I route traffic to a specific pod? ›- create a deployment with pod label: t1.
- create a subset in DestinationRule: select t1 label pod as subset s1.
- control your traffic in VirtualService that route to s1 subset.
- s1 route to the target pods.