Managing Egress Traffic Using Static Route

One of the standard Service Proxy for Kubernetes (SPK) Custom Resource Definitions (CRD) is the f5-spk-staticroutes.k8s.f5net.com. This CRD allows the SPK administrator to manage the TMM static routing table. As a result of creating a Static Route Custom Resource (CR) the SPK administrator is able to direct traffic by defining the next hop for a subnet. The F5SPKStaticRoute CR provides the ability to define a unique egress and ingress route for namespaces watched by SPK.

What is Egress and Ingress Traffic

The term ingress and egress refers to the direction of the traffic flow. Generally when working with OpenShift and Kubernetes this traffic originates or terminates at the pod. Egress traffic can be defined as packets that originate from a pod inside the OpenShift or Kubernetes network and travel out through switches and routers to an external destination. Ingress is simply the opposite; traffic that originates outside of a given network and travels to a pod inside the network.

Important

Egress traffic being proxied through f5-tmm from namespaces watched by f5ingress are disabled by default.

Note

The SPK Controller contains multiple pods. We will refer to the controller pod as f5ingress.

Environment Assumptions

This use case makes some assumptions about the environment where this configuration would be applied.

  • You have access to an existing healthy OpenShift environment.

  • You deployed SPK version 1.6.0.

  • You have an available network reachable by an additional gateway other than the default one.

    • Example in this guide, we will use 192.168.20.0/24 as the default external network and 10.10.0.0/16 as the additional external network.

  • You have deployed an application to your watchNamespace.

  • You enabled egress traffic.

Default Egress Routing

In the OpenShift cluster we have deployed a Pod called web-tier1 into the event1 namespace. Egress traffic from this pod will leave the OpenShift cluster via the external interface of the TMM pod. Egress traffic from this Pod will then be routed to the default gateway, 192.168.20.1.

Egress default path

Custom Egress Routing

However the administrator requires that egress traffic be route-able to the 10.10.0.0/16 network when sourced from the event1 namespace. This requires that we add a static route to the f5-tmm pod allowing traffic to the second router, 10.10.20.254. The F5SPKStaticRoute CR provides the ability to define a static route in the f5-tmm pod. The object must define the destination network, subnet prefix, and gateway IP address.

Egress modified path

Sample Static Route CR

The following is an example of the SPK configuration object that will meet these requirements for the illustrated environment.

apiVersion: "k8s.f5net.com/v1"
kind: F5SPKStaticRoute
metadata:
  name: "event1-static-route-10-10-20.0"
  namespace: event1
spec:
  destination: 10.10.0.0
  prefixLen: 16
  gateway: 10.10.255.254
  type: gateway