Isolating routers to edge nodes

• Ensure that you have the following IAM roles:
  • Any platform access role for the cluster
  • Writer or Manager service access role for all namespaces
• Access your Red Hat OpenShift cluster.

To isolate your workload to edge worker nodes:

1. Create a worker pool with the label dedicated=edge or add the label to one of your existing worker pools.

   • To create a Classic worker pool, you can use the worker-pool create classic command.

     ibmcloud oc worker-pool create classic --name POOL_NAME --cluster CLUSTER --flavor FLAVOR --size-per-zone WORKERS_PER_ZONE --hardware ISOLATION --label dedicated=edge
     

   • To create a VPC worker pool, you can use the worker-pool create vpc-gen2 command.

     ibmcloud oc worker-pool create vpc-gen2 --name POOL_NAME --cluster CLUSTER --flavor FLAVOR --size-per-zone WORKERS_PER_ZONE --hardware ISOLATION --label dedicated=edge
     

   • To label an existing worker pool, you can use the worker-pool label set command.

     ibmcloud oc worker-pool label set --cluster CLUSTER --worker-pool POOL --label dedicated=edge
     

2. Verify that the worker pool and worker nodes have the dedicated=edge label.

   • To check the worker pool, use the get command.

     ibmcloud oc worker-pool get --cluster <cluster_name_or_ID> --worker-pool <worker_pool_name_or_ID>
     

   • To check individual worker nodes, review the Labels field of the output of the following command.

     oc describe node <worker_node_private_IP>
     

3. Retrieve all existing Ingress Controllers in the cluster.

   oc get ingresscontroller -n openshift-ingress-operator
   

   Example output

   NAME      AGE
   default   5h37m
   

4. Edit the Ingress Controller.

   oc edit ingresscontroller -n openshift-ingress-operator default
   

5. Set the spec.nodePlacement field to the following. For more information, see the Red Hat documentation.

   nodePlacement:
     nodeSelector:
       matchLabels:
         dedicated: edge
       tolerations:
       - effect: NoSchedule
         operator: Exists
   

6. Save and close the file.

7. Verify that router pods are scheduled onto edge nodes and are not scheduled onto compute nodes.

   oc describe nodes -l dedicated=edge | grep "router-*"
   

   Example output

   openshift-ingress                       router-default-7784f69c7c-qq577           100m (2%)     0 (0%)      256Mi (1%)       0 (0%)         5m4s
   openshift-ingress                       router-default-7784f69c7c-7rwrj           100m (2%)     0 (0%)      256Mi (1%)       0 (0%)         5m5s
   

8. Confirm that no router pods are deployed to non-edge nodes.

   oc describe nodes -l dedicated!=edge | grep "router-*"
   

   If the router pods are correctly deployed to edge nodes, no router pods are returned. Your routers are successfully rescheduled onto only edge worker nodes.

You labeled worker nodes in a worker pool with dedicated=edge and redeployed all the existing ALBs to the edge nodes. All subsequent ALBs that are added to the cluster are also deployed to an edge node in your edge worker pool. Next, you can prevent other workloads from running on edge worker nodes.