The documentation is under development and may contain incomplete information.

This feature is available only in Enterprise Edition.

To control static routes and IP rules on cluster nodes, use the static-routing-manager module.

To enable the module with default settings, apply the following ModuleConfig resource:

d8 k apply -f - <<EOF
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: static-routing-manager
spec:
  version: 1
  enabled: true
EOF

Routing table

The RoutingTable resource describes the target routing table and its associated routes.

To create a route in the main routing table, do the following:

  1. Apply the RoutingTable resource to create a new route (10.0.0.0/8 via 192.168.0.1) on nodes that match the specified nodeSelector:

    d8 k apply -f - <<EOF
apiVersion: network.deckhouse.io/v1alpha1
kind: RoutingTable
metadata:
name: myrt-main
spec:
  ipRoutingTableID: 254 # Main routing table ID is 254
  routes:
  - destination: 10.0.0.0/8
    gateway: 192.168.0.1
  nodeSelector:
    node-role.deckhouse.io: load-balancer
EOF

  2. To check the new route created in the main routing table, run the following command:

    ip -4 route ls

    In the output, you will see a list of routes, including the newly created 10.0.0.0/8 via 192.168.0.1:

    ...
10.0.0.0/8 via 192.168.0.1 dev eth0 realm 216
...
# The routed instruction 'realm 216' is used as a marker to identify the route managed by the module (d8 hex = 216 dec)

To create a route in an additional table, do the following:

  1. Apply the RoutingTable resource to create a new route (0.0.0.0/0 via 192.168.0.1) in table 10000 on nodes that match the specified nodeSelector:

    d8 k apply -f - <<EOF
apiVersion: network.deckhouse.io/v1alpha1
kind: RoutingTable
metadata:
name: myrt-extra
spec:
  routes:
    - destination: 0.0.0.0/0
      gateway: 192.168.0.1
  nodeSelector:
    node-role.deckhouse.io: load-balancer
status:
  ipRoutingTableID: 10000 # If spec.ipRoutingTableID isn't specified, it will be generated and placed into status automatically
    ...
EOF

  2. To check the new route created in the additional table, run the following command:

    ip -4 route ls table 10000

    In the output, you will see a list of routes from table 10000, including the newly created default via 192.168.0.1:

    ...
default via 192.168.0.1 dev eth0 realm 216
...

Routing rules

The IPRuleSet resource describes a set of IP rules that will be created on the nodes with the corresponding labels.

To apply a rule, do the following:

  1. Create the IPRuleSet resource to create an IP rule on nodes that match the specified nodeSelector:

    d8 k apply -f - <<EOF
apiVersion: network.deckhouse.io/v1alpha1
kind: IPRuleSet
metadata:
  name: myiprule
spec:
  rules:
    - selectors:
        from:
          - 192.168.111.0/24
          - 192.168.222.0/24
        to:
          - 8.8.8.8/32
          - 172.16.8.0/21
        sportRange:
          start: 100
          end: 200
        dportRange:
          start: 300
          end: 400
        ipProto: 6
      actions:
        lookup:
      routingTableName: myrt-extra
      priority: 50
  nodeSelector:
    node-role.deckhouse.io: load-balancer
EOF

  2. To ensure the newly created rule was applied, run the following command:

    ip rule list

    In the output, you will see a list of configured rules:

    ...
50: from 192.168.111.0/24 to 172.16.8.0/21 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
50: from 192.168.222.0/24 to 8.8.8.8 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
50: from 192.168.222.0/24 to 172.16.8.0/21 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
50: from 192.168.111.0/24 to 8.8.8.8 ipproto tcp sport 100-200 dport 300-400 lookup 10000 realms 216
...