This feature is available only in Enterprise Edition.

To control static routes and IP rules on cluster nodes, use the static-routing-manager module.

To enable the module with default settings, apply the following ModuleConfig resource:

d8 k apply -f - <<EOF
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: static-routing-manager
spec:
  version: 1
  enabled: true
EOF

Routing table

The RoutingTable resource describes the target routing table and its associated routes.

To create a route in the main routing table, do the following:

  1. Apply the RoutingTable resource to create a new route (10.0.0.0/8 via 192.168.0.1) on nodes that match the specified nodeSelector:

    d8 k apply -f - <<EOF
    apiVersion: network.deckhouse.io/v1alpha1
    kind: RoutingTable
    metadata:
    name: myrt-main
    spec:
      ipRoutingTableID: 254 # Main routing table ID is 254
      routes:
      - destination: 10.0.0.0/8
        gateway: 192.168.0.1
      nodeSelector:
        node-role.deckhouse.io: load-balancer
    EOF
    
  2. To check the new route created in the main routing table, run the following command:

    ip -4 route ls
    

    In the output, you will see a list of routes, including the newly created 10.0.0.0/8 via 192.168.0.1:

    ...
    10.0.0.0/8 via 192.168.0.1 dev eth0 realm 216
    ...
    # The routed instruction 'realm 216' is used as a marker to identify the route managed by the module (d8 hex = 216 dec)
    

To create a route in an additional table, do the following:

  1. Apply the RoutingTable resource to create a new route (0.0.0.0/0 via 192.168.0.1) in table 10000 on nodes that match the specified nodeSelector:

    d8 k apply -f - <<EOF
    apiVersion: network.deckhouse.io/v1alpha1
    kind: RoutingTable
    metadata:
    name: myrt-extra
    spec:
      routes:
        - destination: 0.0.0.0/0
          gateway: 192.168.0.1
      nodeSelector:
        node-role.deckhouse.io: load-balancer
    status:
      ipRoutingTableID: 10000 # If spec.ipRoutingTableID isn't specified, it will be generated and placed into status automatically
        ...
    EOF
    
  2. To check the new route created in the additional table, run the following command:

    ip -4 route ls table 10000
    

    In the output, you will see a list of routes from table 10000, including the newly created default via 192.168.0.1:

    ...
    default via 192.168.0.1 dev eth0 realm 216
    ...
    

Routing rules

The IPRuleSet resource describes a set of IP rules that will be created on the nodes with the corresponding labels.

To apply a rule, do the following:

  1. Create the IPRuleSet resource to create an IP rule on nodes that match the specified nodeSelector:

    d8 k apply -f - <<EOF
    apiVersion: network.deckhouse.io/v1alpha1
    kind: IPRuleSet
    metadata:
      name: myiprule
    spec:
      rules:
        - selectors:
            from:
              - 192.168.111.0/24
              - 192.168.222.0/24
            to:
              - 8.8.8.8/32
              - 172.16.8.0/21
            sportRange:
              start: 100
              end: 200
            dportRange:
              start: 300
              end: 400
            ipProto: 6
          actions:
            lookup:
          routingTableName: myrt-extra
          priority: 50
      nodeSelector:
        node-role.deckhouse.io: load-balancer
    EOF
    
  2. To ensure the newly created rule was applied, run the following command:

    ip rule list
    

    In the output, you will see a list of configured rules:

    ...
    50: from 192.168.111.0/24 to 172.16.8.0/21 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
    50: from 192.168.222.0/24 to 8.8.8.8 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
    50: from 192.168.222.0/24 to 172.16.8.0/21 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
    50: from 192.168.111.0/24 to 8.8.8.8 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
    ...