OPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 6: CONTROLLING EGRESS TRAFFIC

OpenShift 3.3 and later contain the functionality to route pod traffic to the external world via a well-defined IP address. This is useful for example if your external services are protected using a firewall and you do not want to open the firewall to all cluster nodes. The way it works is that a egress … Read moreOPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 6: CONTROLLING EGRESS TRAFFIC

OPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 5: OPENSHIFT ROUTER

In the OpenShift world, Services take place on the OSI Layer 3 / IP, while Routing is an OSI Layer 7 / HTTP/TLS concept. Once you’ve wrapped your head around this backwards choice of naming, things are fairly easy: An OpenShift Router is a component which listens on a physical host’s HTTP/S ports for incoming … Read moreOPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 5: OPENSHIFT ROUTER

OPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 4: CONTAINER NETWORKING USING OPENSHIFT/KUBERNETES SERVICES

To allow stable endpoints in an environment of ever changing starting and stopping Pods (and therefore constantly changing IP addresses), Kubernetes introduces (and OpenShift uses) the concept of services. Services are stable IP addresses (taken per default from the 172.30.0.0/16 subnet) that remain the same as long as the service exists. Connection requests to a … Read moreOPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 4: CONTAINER NETWORKING USING OPENSHIFT/KUBERNETES SERVICES

OPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 3: CONTAINER NETWORKING ACROSS OPENSHIFT NODES

So far, this sounds like a lot of effort to achieve a little more than a plain docker host – containers that can talk to each other and to the host network, potentially segregated based on kubernetes namespace. However OpenShift SDN also allows pods on different nodes to communicate with each other. To this end, … Read moreOPENSHIFT NETWORKING FROM A CONTAINER/WORKLOAD POINT OF VIEW – PART 3: CONTAINER NETWORKING ACROSS OPENSHIFT NODES

OpenShift Networking from a container/workload point of view – Part 2: Container Networking on an OpenShift Node

In OpenShift, networking is equally simple from a container point of view. Within the container’s namespace there is a eth0 network interface configured and services such as DNS just work. You can still use dedicated NICs on the host to isolate specific types of traffic. What’s the difference? It turns out there is hardly any … Read moreOpenShift Networking from a container/workload point of view – Part 2: Container Networking on an OpenShift Node

OpenShift 3.1 Networking from a container/workload point of view – Part 1: Container Networking on a plain Docker Host

From a container point of view, networking on a plain Docker Host is simple. A running container is nothing more than a Linux process which is namespaced and constrained with regards to access (SELinux) and resource consumption (cgroups). In each namespace, there is a single (virtual) network interface called eth0 which is assigned an IP … Read moreOpenShift 3.1 Networking from a container/workload point of view – Part 1: Container Networking on a plain Docker Host

How to trace IPTables in RHEL7 / CENTOS7

If you are debugging IPTables, it is handy to be able to trace the packets while it traverses the various chains. I was trying to find out why port forwarding from the external NIC to a virtual machine attached to a virtual bridge device was not working. You need to perform the following preparations: Load … Read moreHow to trace IPTables in RHEL7 / CENTOS7