金鱼哥RHCA回忆录:DO280OpenShift网络--创建router练习与章节实验

举报
金鱼哥 发表于 2022/08/19 23:26:41 2022/08/19
【摘要】 第三章 OpenShift网络--创建router练习与章节实验

🎹 个人简介:大家好,我是 金鱼哥,CSDN运维领域新星创作者,华为云·云享专家,阿里云社区·专家博主
📚个人资质:CCNA、HCNP、CSNA(网络分析师),软考初级、中级网络工程师、RHCSA、RHCE、RHCA、RHCI、ITIL😜
💬格言:努力不一定成功,但要想成功就必须努力🔥

🎈支持我:可点赞👍、可收藏⭐️、可留言📝


📜课本练习

📑环境准备

[student@workstation ~]$ lab install-prepare setup
[student@workstation ~]$ cd /home/student/do280-ansible
[student@workstation do280-ansible]$ ./install.sh

提示:若已经拥有一个完整环境,可不执行。


📑本练习准备

[student@workstation ~]$ lab secure-route setup   # 准备本实验环境

📑创建应用

[student@workstation ~]$ oc login -u developer -p redhat https://master.lab.example.com
[student@workstation ~]$ oc new-project secure-route  # 创建project
[student@workstation ~]$ oc new-app --docker-image=registry.lab.example.com/openshift/hello-openshift --name=hello
[student@workstation ~]$ oc get pods -o wide
NAME            READY     STATUS    RESTARTS   AGE       IP            NODE
hello-1-xsmfp   1/1       Running   0          1m        10.129.0.16   node2.lab.example.com

📑创建TLS证书

[student@workstation ~]$ cd /home/student/DO280/labs/secure-route/ 
# 使用环境中的脚本快速创建TLS自签名证书

[student@workstation secure-route]$ cat create-cert.sh 
#!/bin/bash

echo "Generating a private key..."
openssl genrsa -out hello.apps.lab.example.com.key 2048
echo

echo "Generating a CSR..."
openssl req -new -key hello.apps.lab.example.com.key -out hello.apps.lab.example.com.csr -subj "/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=hello.apps.lab.example.com"
echo

echo "Generating a certificate..."
openssl x509 -req -days 366 -in hello.apps.lab.example.com.csr -signkey hello.apps.lab.example.com.key -out hello.apps.lab.example.com.crt
echo
echo  "DONE."
echo

[student@workstation secure-route]$ ./create-cert.sh
Generating a private key...
Generating RSA private key, 2048 bit long modulus
..................+++
....................................+++
e is 65537 (0x10001)

Generating a CSR...

Generating a certificate...
Signature ok
subject=/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=hello.apps.lab.example.com
Getting Private key

DONE.

📑创建route

[student@workstation secure-route]$ ll
total 20
-rw-r--r--. 1 student student  550 Aug  7  2018 commands.txt
-rwxr-xr-x. 1 student student  506 Jul 19  2018 create-cert.sh
-rw-rw-r--. 1 student student 1224 Feb 26 22:42 hello.apps.lab.example.com.crt
-rw-rw-r--. 1 student student 1017 Feb 26 22:42 hello.apps.lab.example.com.csr
-rw-rw-r--. 1 student student 1675 Feb 26 22:42 hello.apps.lab.example.com.key 

[student@workstation secure-route]$ oc create route edge \
--service=hello --hostname=hello.apps.lab.example.com \
--key=hello.apps.lab.example.com.key \
--cert=hello.apps.lab.example.com.crt
route "hello" created

📑确认验证

[student@workstation secure-route]$ oc get route 
NAME      HOST/PORT                    PATH      SERVICES   PORT       TERMINATION   WILDCARD
hello     hello.apps.lab.example.com             hello      8080-tcp   edge          None
[student@workstation secure-route]$  oc get route hello -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  creationTimestamp: 2021-02-26T15:10:35Z
  labels:
    app: hello
  name: hello
  namespace: secure-route
  resourceVersion: "106365"
  selfLink: /apis/route.openshift.io/v1/namespaces/secure-route/routes/hello
  uid: c6d64e32-7844-11eb-a097-52540000fa0a
spec:
  host: hello.apps.lab.example.com
  port:
    targetPort: 8080-tcp
  tls:
    certificate: |
…………
      -----END RSA PRIVATE KEY-----
    termination: edge
  to:
    kind: Service
    name: hello
    weight: 100
  wildcardPolicy: None
status:
  ingress:
…………

📑测试访问

[student@workstation secure-route]$  curl http://hello.apps.lab.example.com 
# 以http形式访问会无法转发至后端任何pod
…………
      <h1>Application is not available</h1>
      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>

      <div class="alert alert-info">
…………

[student@workstation secure-route]$  curl  -k https://hello.apps.lab.example.com
Hello OpenShift!

[student@workstation secure-route]$  curl  -k -vvv https://hello.apps.lab.example.com
* About to connect() to hello.apps.lab.example.com port 443 (#0)
*   Trying 172.25.250.11...
* Connected to hello.apps.lab.example.com (172.25.250.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=hello.apps.lab.example.com,OU=RHT,O=RedHat,L=Raleigh,ST=NC,C=US
* 	start date: Feb 26 14:42:43 2021 GMT
* 	expire date: Feb 27 14:42:43 2022 GMT
* 	common name: hello.apps.lab.example.com
* 	issuer: CN=hello.apps.lab.example.com,OU=RHT,O=RedHat,L=Raleigh,ST=NC,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hello.apps.lab.example.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 26 Feb 2021 15:27:17 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
< Set-Cookie: 0dca6369ebce37a9206a19316b32350e=3f93469a02a5beda64c21cf88da4bc0a; path=/; HttpOnly; Secure
< Cache-control: private
< 
Hello OpenShift!
* Connection # 0 to host hello.apps.lab.example.com left intact

📑非安全形式访问

由于加密的通信在路由器上终止,并且请求使用不安全的HTTP转发到pods,所以可以使用pod IP地址通过普通HTTP访问应用程序。为此,请使用oc get pods -o命令中指定的IP地址。

[student@workstation secure-route]$ oc get pod -o wide
NAME            READY     STATUS    RESTARTS   AGE       IP            NODE
hello-1-xsmfp   1/1       Running   0          1h        10.129.0.16   node2.lab.example.com

[root@node1 ~]# curl http://10.129.0.16:8080
Hello OpenShift!

[root@node1 ~]# curl -vvv http://10.129.0.16:8080
* About to connect() to 10.129.0.16 port 8080 (#0)
*   Trying 10.129.0.16...
* Connected to 10.129.0.16 (10.129.0.16) port 8080 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.129.0.16:8080
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 26 Feb 2021 15:46:57 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
< 
Hello OpenShift!
* Connection  0 to host 10.129.0.16 left intact

📑清除项目

[student@workstation ~]$ oc delete project secure-route 
project "secure-route" deleted

📜章节实验

📑环境准备

[student@workstation ~]$ lab install-prepare setup
[student@workstation ~]$ cd /home/student/do280-ansible
[student@workstation do280-ansible]$ ./install.sh

提示:若已经拥有一个完整环境,可不执行。


📑本练习准备

[student@workstation ~]$ lab network-review setup

📑验证所需资源

[student@workstation ~]$ oc login -u developer -p redhat https://master.lab.example.com
[student@workstation ~]$ oc get project 
NAME             DISPLAY NAME   STATUS
network-review                  Active
[student@workstation ~]$ oc project
Using project "network-review" on server "https://master.lab.example.com:443".

[student@workstation ~]$ oc get pod -o wide
NAME                      READY     STATUS    RESTARTS   AGE       IP            NODE
hello-openshift-1-gg65v   1/1       Running   0          1m        10.129.0.18   node2.lab.example.com 
[student@workstation ~]$ oc get svc
NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
hello-openshift   ClusterIP   172.30.76.227   <none>        8080/TCP,8888/TCP   2m
[student@workstation ~]$ oc get route 
NAME              HOST/PORT              PATH      SERVICES         PORT       TERMINATION   WILDCARD
hello-openshift   hello.apps.lab.example.com             hello-opensift   8080-tcp                 None

📑测试访问

[student@workstation ~]$ curl http://hello.apps.lab.example.com      # 测试http访问
…………
      <h1>Application is not available</h1>
      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>

      <div class="alert alert-info"> 
……………

[root@master ~]# curl http://10.129.0.18:8080     # 测试使用pod ip访问
Hello OpenShift!
[root@master ~]# curl http://172.30.76.227:8080   # 测试使用cluster ip访问
curl: (7) Failed connect to 172.30.76.227:8080; Connection refused

📑排除cluster故障

[student@workstation ~]$ oc describe svc hello-openshift -n network-review
Name:              hello-openshift
Namespace:         network-review
Labels:            app=hello-openshift
Annotations:       openshift.io/generated-by=OpenShiftNewApp
Selector:          app=hello_openshift,deploymentconfig=hello-openshift
Type:              ClusterIP
IP:                172.30.76.227
Port:              8080-tcp  8080/TCP
TargetPort:        8080/TCP
Endpoints:         <none>
Port:              8888-tcp  8888/TCP
TargetPort:        8888/TCP
Endpoints:         <none>
Session Affinity:  None
Events:            <none>

由上可知,没有endpoint,endpoint是使用selector对pod的label进行匹配。

[student@workstation ~]$ oc describe pod hello-openshift-1-gg65v   # 查看pod详情
Name:         hello-openshift-1-gg65v
Namespace:    network-review
Node:         node2.lab.example.com/172.25.250.12
Start Time:   Sat, 27 Feb 2021 23:11:58 +0800
Labels:       app=hello-openshift
              deployment=hello-openshift-1
              deploymentconfig=hello-openshift
…………

故障点:由上可知,Selector的label不一致,则没有标记为hello_openshift的pod能进行匹配。

[student@workstation ~]$ oc edit svc hello-openshift
  selector:
    app: hello-openshift
    deploymentconfig: hello-openshift
  sessionAffinity: None
  type: ClusterIP

📑测试访问

[root@master ~]# curl http://10.129.0.18:8080       # 测试使用pod ip访问
Hello OpenShift!
[root@master ~]# curl http://172.30.76.227:8080     # 再次测试
Hello OpenShift!

[student@workstation ~]$ curl http://hello.apps.lab.example.com   # 测试http访问
……
    <div>
      <h1>Application is not available</h1>
      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>
……

📑排除route故障

[student@workstation ~]$ oc describe route hello-openshift
Name:			hello-openshift
Namespace:		network-review
Created:		20 minutes ago
Labels:			app=hello-openshift
Annotations:		<none>
Requested Host:		hello.apps.lab.example.com
			  exposed on router router 20 minutes ago
Path:			<none>
TLS Termination:	<none>
Insecure Policy:	<none>
Endpoint Port:		8080-tcp

Service:	hello-opensift
Weight:		100 (100%)
Endpoints:	<error: endpoints "hello-opensift" not found>

故障点:由上可知,此路由没有endpoint。即对route的URL请求没有后端endpoint进行响应。路由器查询service的endpoint,并注册有效的endpoint来实现负载平衡。同时发现service名称中有一个拼写错误,它应该是hello-openshift。

[student@workstation ~]$ oc edit route hello-openshift
…………
  to:
    kind: Service
    name: hello-openshift
    weight: 100
  wildcardPolicy: None
………

[root@node1 ~]# curl http://hello.apps.lab.example.com      # 再次测试
Hello OpenShift!

📑脚本评分并清除项目

[student@workstation ~]$ lab network-review grade
[student@workstation ~]$ oc delete project network-review

💡总结

  • OpenShift的软件定义网络(SDN)的实现是基于Open vSwitch (OVS),以及它如何提供一个统一的集群网络,使跨OpenShift集群的pods之间能够通信。

  • 一个OpenShift服务:

    有一个唯一的IP地址,让客户端连接到集群中来访问pods。

    有一个IP地址也来自OpenShift SDN,它与pod的内部网络不同,但只在集群内部可见。

    确保匹配选择器的pods作为端点添加到服务资源。随着pods的创建和终止,服务背后的端点会自动更新。

  • 对于需要从OpenShift集群外部访问服务的应用程序,有两种方法来实现这个目标:

    NodePort:通过绑定到节点主机上的可用端口,将服务公开给外部客户端,然后节点主机代理连接到服务IP地址。节点端口的端口号限制在30000-32767之间。

    OpenShift路由:这种方法使用唯一的URL公开服务。使用oc expose命令为外部访问公开一个服务,或者从OpenShift web控制台公开一个服务。

  • Pods可以通过网络地址转换(NAT)使用主机地址与OpenShift集群外的服务器进行通信。NAT通过主机IP地址传输网络流量。

  • OpenShift路由是通过一个共享路由器服务实现的,它作为OpenShift实例中的pod运行,可以像其他常规pod一样进行扩展和复制。该路由器服务基于开源软件HAProxy。

  • 通过使用 JSON 或 YAML 资源定义文件提供oc create,或者使用oc expose命令,可以像任何其他OpenShift资源一样创建路由资源。

  • 通过模板或oc expose命令(不带显式的——hostname选项)创建的路由生成的DNS名称形式为<route-name>-<project-name>.<default-domain>

  • 路由支持以下协议:HTTP、HTTPS with SNI、WebSockets、TLS with SNI

  • 你可以创建不同类型的路由:

    边缘终止(Edge Termination):TLS终止发生在路由器上,在流量路由到pods之前。TLS证书由路由器提供,因此必须配置到路由中。

    直通终止(Pass-through Termination):加密的流量直接发送到目标pod,而不需要路由器提供TLS终止。不需要密钥或证书。目的地pods负责为端点的流量提供证书。

    重新加密终止(Re-encryption Termination):重新加密是边缘终止的一种变体,路由器用证书终止TLS,然后重新加密它到端点的连接,端点可能有不同的证书。

  • 通配符策略允许用户定义一条覆盖域内所有主机的路由。路由可以使用wildcardPolicy字段指定通配符策略作为配置的一部分。OpenShift路由器支持通配符路由,可以通过将ROUTER_ALLOW_WILDCARD_ROUTES环境变量设置为true来启用。


RHCA认证需要经历5门的学习与考试,还是需要花不少时间去学习与备考的,好好加油,可以噶🤪。

以上就是【金鱼哥】对 第三章 OpenShift网络–创建router练习与章节实验 的简述和讲解。希望能对看到此文章的小伙伴有所帮助。

💾红帽认证专栏系列:
RHCSA专栏:戏说 RHCSA 认证
RHCE专栏:戏说 RHCE 认证
此文章收录在RHCA专栏:RHCA 回忆录

如果这篇【文章】有帮助到你,希望可以给【金鱼哥】点个赞👍,创作不易,相比官方的陈述,我更喜欢用【通俗易懂】的文笔去讲解每一个知识点。

如果有对【运维技术】感兴趣,也欢迎关注❤️❤️❤️ 【金鱼哥】❤️❤️❤️,我将会给你带来巨大的【收获与惊喜】💕💕!

【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。