Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AV-224356: Documentation for Restricting FQDN to single namespace #1611

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

AV-224356: Documentation for Restricting FQDN to single namespace #1611

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions docs/ako_fqdnrestriction.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Restricting FQDN to single Namespace

## Overview

In Kubernetes environment, ingresses, deployed in multiple namespaces, can have same host(FQDN). In OpenShift, when `Route Admission Policy` is `InterNamespaceAllowed`, then routes from multiple namespaces can have same host(FQDN). For such deployment, AKO combines such routes/ingresses under one Virtual Service at AviController.

With AKO 1.13.1, AKO has introduced feature to restrict FQDN to single namespace.

## Configuration

AKO has introduced knob `fqdnReusePolicy` in `L7Settings` section of `values.yaml`.

```yaml
L7Settings:
.
.
.
fqdnReusePolicy: "InterNamespaceAllowed"
```

`fqdnReusePolicy` can be assigned to one of the two values `InterNamespaceAllowed` or `Strict`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should add a comma after values,

When value is `InterNamespaceAllowed`, AKO accepts ingresses with same host/FQDN from all namespaces. This is the `default` value.

When value is `Strict`, AKO restrict FQDN to single namespace. FQDN will be associated with namespace which claims it first. For example, if `ingress1` in `red` namespace is deployed with `foo.avi.internal`, then with `Strict` setting, `foo.avi.internal` will be associated with `red` namespace. Now `ingress2` in `default` namespace is deployed with `foo.avi.internal`, then AKO will reject `ingress2` with message `host already claimed`. VirtualService and corresponding AviController objects for `ingress2` will not be created.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

restrict -> restricts
FQDN to single namespace - > FQDN to a single namespace
with message -> with the message


In `Strict` setting, AKO does not associated one FQDN with another namespace automatically if all ingresses with given FQDN is deleted from claimed namespace. For above example, if `ingress1` in `red` is deleted and there is no other ingress in `red` namespace associated with `foo.avi.internal`, AKO will not associate `foo.avi.internal` with `ingress2` of `default` namespace. User has to do create/update operation on ingresses, associated with `foo.avi.internal`, to claim the FQDN. User can also reboot the AKO to associate `foo.avi.internal` with `default` namespace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be slightly rephrased to :
In Strict setting, AKO does not associate one FQDN with another namespace automatically if all ingresses with the given FQDN are deleted from the claimed namespace. For the above example, if ingress1 in red is deleted and there is no other ingress in the red namespace associated with foo.avi.internal, AKO will not associate foo.avi.internal with ingress2 of the default namespace. The user has to do a create/update operation on ingresses associated with foo.avi.internal to claim the FQDN. The user can also reboot the AKO to associate foo.avi.internal with the default namespace.


For ingresses with multiple hosts(FQDNS), if one of the FQDN is not accepted by AKO then whole ingress will not be accepted by AKO and configuration defined in that ingress will not be applied at AviController side.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FQDNS -> FQDNs
FQDN -> FQDNs


AKO has above similar behaviour for OpenShift Routes under this knob.

**Note:**
1. Setting `fqdnReusePolicy` is applicable only in EVH deployment of AKO.
2. This setting is not applicable to GatewayAPI objects.
3. Change in value of `fqdnReusePolicy` requires AKO reboot.

2 changes: 1 addition & 1 deletion docs/install/helm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ The following table lists the configurable parameters of the AKO chart and their
| `L4Settings.defaultDomain` | Specify a default sub-domain for L4 LB services | First domainname found in cloud's dnsprofile |
| `L4Settings.autoFQDN` | Specify the layer 4 FQDN format | default |
| `L7Settings.noPGForSNI` | Skip using Pool Groups for SNI children | false |
| `L7Settings.l7ShardingScheme` | Sharding scheme enum values: hostname, namespace | hostname |
| `L7Settings.fqdnReusePolicy` | Restrict FQDN to single namespace if set to `Strict`. enum: InterNamespaceAllowed, Strict | InterNamespaceAllowed |
| `AKOSettings.cniPlugin` | CNI Plugin being used in kubernetes cluster. Specify one of: calico, canal, flannel, openshift, antrea, ncp, ovn-kubernetes, cilium | **required** for calico, openshift, ovn-kubernetes, ncp setups. For Cilium CNI, set the string as **cilium** only when using Cluster Scope mode for IPAM and leave it empty if using Kubernetes Host Scope mode for IPAM. |
| `AKOSettings.enableEvents` | enableEvents can be changed dynamically from the configmap | true |
| `AKOSettings.logLevel` | logLevel enum values: INFO, DEBUG, WARN, ERROR. logLevel can be changed dynamically from the configmap | INFO |
Expand Down
8 changes: 8 additions & 0 deletions docs/values.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,14 @@ ingress object.

If you do not use ingress classes, then keep this knob untouched and AKO will take care of syncing all your ingress objects to Avi.

### L7Settings.fqdnReusePolicy

This field is used to restrict or allow FQDN to be spanned across multiple namespace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

namespace -> namespaces


* InterNamespaceAllowed: With this value, AKO will allowed hostname/FQDN to be associate with Ingresses/Routes, spanned across multiple namespaces.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rephrase as :
InterNamespaceAllowed: With this value, AKO will allow hostnames/FQDNs to be associated with Ingresses/Routes, spanning across multiple namespaces.


* Strict: With this value, AKO will restrict hostname/FQDN to be associated with Ingresses/Routes, present in the same namespace.

### L4Settings.defaultDomain

If you have multiple sub-domains configured in your Avi cloud, use this knob to specify the default sub-domain.
Expand Down
Loading