🎹 个人简介:大家好,我是 金鱼哥,CSDN运维领域新星创作者,华为云·云享专家,阿里云社区·专家博主
📚个人资质: CCNA、HCNP、CSNA(网络分析师),软考初级、中级网络工程师、RHCSA、RHCE、RHCA、RHCI、ITIL😜
💬格言:努力不一定成功,但要想成功就必须努力🔥🎈支持我:可点赞👍、可收藏⭐️、可留言📝
📜课本练习
📑环境准备
[student@workstation ~]$ lab install-prepare setup
[student@workstation ~]$ cd /home/student/do280-ansible
[student@workstation do280-ansible]$ ./install.sh提示:若已经拥有一个完整环境,可不执行。
📑本练习准备
[student@workstation ~]$ lab secure-route setup # 准备本实验环境📑创建应用
[student@workstation ~]$ oc login -u developer -p redhat https://master.lab.example.com
[student@workstation ~]$ oc new-project secure-route # 创建project
[student@workstation ~]$ oc new-app --docker-image=registry.lab.example.com/openshift/hello-openshift --name=hello
[student@workstation ~]$ oc get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE
hello-1-xsmfp 1/1 Running 0 1m 10.129.0.16 node2.lab.example.com📑创建TLS证书
[student@workstation ~]$ cd /home/student/DO280/labs/secure-route/
# 使用环境中的脚本快速创建TLS自签名证书
[student@workstation secure-route]$ cat create-cert.sh
#!/bin/bash
echo "Generating a private key..."
openssl genrsa -out hello.apps.lab.example.com.key 2048
echo
echo "Generating a CSR..."
openssl req -new -key hello.apps.lab.example.com.key -out hello.apps.lab.example.com.csr -subj "/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=hello.apps.lab.example.com"
echo
echo "Generating a certificate..."
openssl x509 -req -days 366 -in hello.apps.lab.example.com.csr -signkey hello.apps.lab.example.com.key -out hello.apps.lab.example.com.crt
echo
echo "DONE."
echo
[student@workstation secure-route]$ ./create-cert.sh
Generating a private key...
Generating RSA private key, 2048 bit long modulus
..................+++
....................................+++
e is 65537 (0x10001)
Generating a CSR...
Generating a certificate...
Signature ok
subject=/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=hello.apps.lab.example.com
Getting Private key
DONE.📑创建route
[student@workstation secure-route]$ ll
total 20
-rw-r--r--. 1 student student 550 Aug 7 2018 commands.txt
-rwxr-xr-x. 1 student student 506 Jul 19 2018 create-cert.sh
-rw-rw-r--. 1 student student 1224 Feb 26 22:42 hello.apps.lab.example.com.crt
-rw-rw-r--. 1 student student 1017 Feb 26 22:42 hello.apps.lab.example.com.csr
-rw-rw-r--. 1 student student 1675 Feb 26 22:42 hello.apps.lab.example.com.key
[student@workstation secure-route]$ oc create route edge \
--service=hello --hostname=hello.apps.lab.example.com \
--key=hello.apps.lab.example.com.key \
--cert=hello.apps.lab.example.com.crt
route "hello" created📑确认验证
[student@workstation secure-route]$ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
hello hello.apps.lab.example.com hello 8080-tcp edge None
[student@workstation secure-route]$ oc get route hello -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
creationTimestamp: 2021-02-26T15:10:35Z
labels:
app: hello
name: hello
namespace: secure-route
resourceVersion: "106365"
selfLink: /apis/route.openshift.io/v1/namespaces/secure-route/routes/hello
uid: c6d64e32-7844-11eb-a097-52540000fa0a
spec:
host: hello.apps.lab.example.com
port:
targetPort: 8080-tcp
tls:
certificate: |
…………
-----END RSA PRIVATE KEY-----
termination: edge
to:
kind: Service
name: hello
weight: 100
wildcardPolicy: None
status:
ingress:
…………📑测试访问
[student@workstation secure-route]$ curl http://hello.apps.lab.example.com
# 以http形式访问会无法转发至后端任何pod
…………
<h1>Application is not available</h1>
<p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>
<div class="alert alert-info">
…………
[student@workstation secure-route]$ curl -k https://hello.apps.lab.example.com
Hello OpenShift!
[student@workstation secure-route]$ curl -k -vvv https://hello.apps.lab.example.com
* About to connect() to hello.apps.lab.example.com port 443 (#0)
* Trying 172.25.250.11...
* Connected to hello.apps.lab.example.com (172.25.250.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=hello.apps.lab.example.com,OU=RHT,O=RedHat,L=Raleigh,ST=NC,C=US
* start date: Feb 26 14:42:43 2021 GMT
* expire date: Feb 27 14:42:43 2022 GMT
* common name: hello.apps.lab.example.com
* issuer: CN=hello.apps.lab.example.com,OU=RHT,O=RedHat,L=Raleigh,ST=NC,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hello.apps.lab.example.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 26 Feb 2021 15:27:17 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
< Set-Cookie: 0dca6369ebce37a9206a19316b32350e=3f93469a02a5beda64c21cf88da4bc0a; path=/; HttpOnly; Secure
< Cache-control: private
<
Hello OpenShift!
* Connection # 0 to host hello.apps.lab.example.com left intact📑非安全形式访问
由于加密的通信在路由器上终止,并且请求使用不安全的HTTP转发到pods,所以可以使用pod IP地址通过普通HTTP访问应用程序。为此,请使用oc get pods -o命令中指定的IP地址。
[student@workstation secure-route]$ oc get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
hello-1-xsmfp 1/1 Running 0 1h 10.129.0.16 node2.lab.example.com
[root@node1 ~]# curl http://10.129.0.16:8080
Hello OpenShift!
[root@node1 ~]# curl -vvv http://10.129.0.16:8080
* About to connect() to 10.129.0.16 port 8080 (#0)
* Trying 10.129.0.16...
* Connected to 10.129.0.16 (10.129.0.16) port 8080 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.129.0.16:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 26 Feb 2021 15:46:57 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
<
Hello OpenShift!
* Connection 0 to host 10.129.0.16 left intact📑清除项目
[student@workstation ~]$ oc delete project secure-route
project "secure-route" deleted📜章节实验
📑环境准备
[student@workstation ~]$ lab install-prepare setup
[student@workstation ~]$ cd /home/student/do280-ansible
[student@workstation do280-ansible]$ ./install.sh提示:若已经拥有一个完整环境,可不执行。
📑本练习准备
[student@workstation ~]$ lab network-review setup📑验证所需资源
[student@workstation ~]$ oc login -u developer -p redhat https://master.lab.example.com
[student@workstation ~]$ oc get project
NAME DISPLAY NAME STATUS
network-review Active
[student@workstation ~]$ oc project
Using project "network-review" on server "https://master.lab.example.com:443".
[student@workstation ~]$ oc get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
hello-openshift-1-gg65v 1/1 Running 0 1m 10.129.0.18 node2.lab.example.com
[student@workstation ~]$ oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-openshift ClusterIP 172.30.76.227 <none> 8080/TCP,8888/TCP 2m
[student@workstation ~]$ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
hello-openshift hello.apps.lab.example.com hello-opensift 8080-tcp None📑测试访问
[student@workstation ~]$ curl http://hello.apps.lab.example.com # 测试http访问
…………
<h1>Application is not available</h1>
<p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>
<div class="alert alert-info">
……………
[root@master ~]# curl http://10.129.0.18:8080 # 测试使用pod ip访问
Hello OpenShift!
[root@master ~]# curl http://172.30.76.227:8080 # 测试使用cluster ip访问
curl: (7) Failed connect to 172.30.76.227:8080; Connection refused📑排除cluster故障
[student@workstation ~]$ oc describe svc hello-openshift -n network-review
Name: hello-openshift
Namespace: network-review
Labels: app=hello-openshift
Annotations: openshift.io/generated-by=OpenShiftNewApp
Selector: app=hello_openshift,deploymentconfig=hello-openshift
Type: ClusterIP
IP: 172.30.76.227
Port: 8080-tcp 8080/TCP
TargetPort: 8080/TCP
Endpoints: <none>
Port: 8888-tcp 8888/TCP
TargetPort: 8888/TCP
Endpoints: <none>
Session Affinity: None
Events: <none>由上可知,没有endpoint,endpoint是使用selector对pod的label进行匹配。
[student@workstation ~]$ oc describe pod hello-openshift-1-gg65v # 查看pod详情
Name: hello-openshift-1-gg65v
Namespace: network-review
Node: node2.lab.example.com/172.25.250.12
Start Time: Sat, 27 Feb 2021 23:11:58 +0800
Labels: app=hello-openshift
deployment=hello-openshift-1
deploymentconfig=hello-openshift
…………故障点:由上可知,Selector的label不一致,则没有标记为hello_openshift的pod能进行匹配。
[student@workstation ~]$ oc edit svc hello-openshift
selector:
app: hello-openshift
deploymentconfig: hello-openshift
sessionAffinity: None
type: ClusterIP📑测试访问
[root@master ~]# curl http://10.129.0.18:8080 # 测试使用pod ip访问
Hello OpenShift!
[root@master ~]# curl http://172.30.76.227:8080 # 再次测试
Hello OpenShift!
[student@workstation ~]$ curl http://hello.apps.lab.example.com # 测试http访问
……
<div>
<h1>Application is not available</h1>
<p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>
……📑排除route故障
[student@workstation ~]$ oc describe route hello-openshift
Name: hello-openshift
Namespace: network-review
Created: 20 minutes ago
Labels: app=hello-openshift
Annotations: <none>
Requested Host: hello.apps.lab.example.com
exposed on router router 20 minutes ago
Path: <none>
TLS Termination: <none>
Insecure Policy: <none>
Endpoint Port: 8080-tcp
Service: hello-opensift
Weight: 100 (100%)
Endpoints: <error: endpoints "hello-opensift" not found>故障点:由上可知,此路由没有endpoint。即对route的URL请求没有后端endpoint进行响应。路由器查询service的endpoint,并注册有效的endpoint来实现负载平衡。同时发现service名称中有一个拼写错误,它应该是hello-openshift。
[student@workstation ~]$ oc edit route hello-openshift
…………
to:
kind: Service
name: hello-openshift
weight: 100
wildcardPolicy: None
………
[root@node1 ~]# curl http://hello.apps.lab.example.com # 再次测试
Hello OpenShift!📑脚本评分并清除项目
[student@workstation ~]$ lab network-review grade
[student@workstation ~]$ oc delete project network-review💡总结
- OpenShift的软件定义网络(SDN)的实现是基于Open vSwitch (OVS),以及它如何提供一个统一的集群网络,使跨OpenShift集群的pods之间能够通信。
- 一个OpenShift服务:
有一个唯一的IP地址,让客户端连接到集群中来访问pods。
有一个IP地址也来自OpenShift SDN,它与pod的内部网络不同,但只在集群内部可见。
确保匹配选择器的pods作为端点添加到服务资源。随着pods的创建和终止,服务背后的端点会自动更新。
- 对于需要从OpenShift集群外部访问服务的应用程序,有两种方法来实现这个目标:
NodePort:通过绑定到节点主机上的可用端口,将服务公开给外部客户端,然后节点主机代理连接到服务IP地址。节点端口的端口号限制在30000-32767之间。
OpenShift路由:这种方法使用唯一的URL公开服务。使用oc expose命令为外部访问公开一个服务,或者从OpenShift web控制台公开一个服务。
- Pods可以通过网络地址转换(NAT)使用主机地址与OpenShift集群外的服务器进行通信。NAT通过主机IP地址传输网络流量。
- OpenShift路由是通过一个共享路由器服务实现的,它作为OpenShift实例中的pod运行,可以像其他常规pod一样进行扩展和复制。该路由器服务基于开源软件HAProxy。
- 通过使用 JSON 或 YAML 资源定义文件提供oc create,或者使用oc expose命令,可以像任何其他OpenShift资源一样创建路由资源。
- 通过模板或oc expose命令(不带显式的——hostname选项)创建的路由生成的DNS名称形式为
<route-name>-<project-name>.<default-domain>。 - 路由支持以下协议:HTTP、HTTPS with SNI、WebSockets、TLS with SNI
- 你可以创建不同类型的路由:
边缘终止(Edge Termination):TLS终止发生在路由器上,在流量路由到pods之前。TLS证书由路由器提供,因此必须配置到路由中。
直通终止(Pass-through Termination):加密的流量直接发送到目标pod,而不需要路由器提供TLS终止。不需要密钥或证书。目的地pods负责为端点的流量提供证书。
重新加密终止(Re-encryption Termination):重新加密是边缘终止的一种变体,路由器用证书终止TLS,然后重新加密它到端点的连接,端点可能有不同的证书。
- 通配符策略允许用户定义一条覆盖域内所有主机的路由。路由可以使用wildcardPolicy字段指定通配符策略作为配置的一部分。OpenShift路由器支持通配符路由,可以通过将ROUTER_ALLOW_WILDCARD_ROUTES环境变量设置为true来启用。
RHCA认证需要经历5门的学习与考试,还是需要花不少时间去学习与备考的,好好加油,可以噶🤪。
以上就是【金鱼哥】对 第三章 OpenShift网络--创建router练习与章节实验 的简述和讲解。希望能对看到此文章的小伙伴有所帮助。
💾 红帽认证专栏系列:
RHCSA专栏: 戏说 RHCSA 认证
RHCE专栏: 戏说 RHCE 认证
此文章收录在RHCA专栏: RHCA 回忆录
如果这篇【文章】有帮助到你,希望可以给【金鱼哥】点个赞👍,创作不易,相比官方的陈述,我更喜欢用【通俗易懂】的文笔去讲解每一个知识点。
如果有对【运维技术】感兴趣,也欢迎关注❤️❤️❤️ 【金鱼哥】❤️❤️❤️,我将会给你带来巨大的【收获与惊喜】💕💕!
