OpenShift - Assign egress IP address to a project using the oc patch netnamespace command

Egress provides a way for an application deployed on OpenShift to access an external URL, such as http://www.example.com.

NetNamespace is used to assign an egress IP address to one or more namespaces, so that all egress traffic from the namespace is using a dedicated IP address. By assigning a specific egress IP address to a namespace, all outbound (egress) requests from applications in the project will come from the dedicated egress IP address, making it easier to find the requests that came from applications in the project. This also makes it possible to have two (or more) different projects share the same egress IP address, as a way to group similar projects together.

 

An OpenShift route or an Ingress route will provide a URL such as http://my-route-my-project.apps.openshift.example.com:8080 which is used to route a request onto a service, which is then routed onto a pod, and then to the container in the pod, and finally to the application running in the container.

 

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The oc get netnamespaces command can be used to list the netid and egress IP addresses associated with a project / namespace. By default, a project will not have a dedicated egress IP address.

~]# oc get netnamespaces
NAME        NETID     EGRESS IPS
my-project  6509873

 

The oc get hostsubnet command can be used to list the IP address, subnet and CIDR associated with node. Each node is a virtual machine, such as an Amazon Web Services (AWS) EC2 instance or a VMWare virtual machine, and the Host IP is the IP address of the virtual machine.

~]$ oc get hostsubnet
NAME                   HOST                   HOST IP        SUBNET       EGRESS CIDRS       EGRESS IPS 
node001-edge-4lrp9     node001-edge-4lrp9     10.10.100.1    10.0.0.0/8   ["10.10.100.0/24"] ["10.10.100.1","10.10.100.2","10.10.100.3"]
node001-infra-68bb8    node001-infra-68bb8    10.10.100.2    10.0.0.0/8                                                                                                                                                                                              
node001-master-0       node001-master-0       10.10.100.4    10.0.0.0/8                                                                                                                                                                                               
node001-worker-4nplk   node001-worker-4nplk   10.10.100.7    10.0.0.0/8

 

The oc patch netnamespaces command can be used to assign an egress IP address to the project. By assigning a specific egress IP address to a project / namespace, all outbound requests from applications / services in the project will come from the egress IP address, making it easier to find the requests that came from applications / services in the project. 

AVOID TROUBLE

The egress IP address must be in the same subnet as the nodes egress CIDR. In this example, since the nodes egress CIDR is 10.10.100.0/24, the NetNamespace egress IP address assigned to the project must be in the 10.10.100.0/24 subnet.

~]# oc patch netnamespace my-project --type merge --patch '{ "egressIPs": [ "10.10.100.10" ] }'
netnamespace.network.openshift.io/my-project patched

 

Or using the JSON type. Since my-project does not have any egress IPs assigned, the "op" key should contain a value of "add"

~]# oc patch netnamespace my-project --type json --patch '[{ "op": "add", "path": "/egressIPs", "value": [ "10.10.100.10" ] }]'
netnamespace.network.openshift.io/my-project patched

 

The oc get netnamespace command can then be used to see that outbound requests from applications / services in the project will come from IP address 10.10.100.10.

~]# oc get netnamespaces
NAME        NETID     EGRESS IPS
my-project  6509873   ["10.10.100.10"]

 

Then the oc patch hostsubnet command can be used to assign the egress IP address one or more nodes.

~]# oc patch hostsubnet node001-edge-4lrp9 --type merge --patch '{ "egressIPs": [ "10.10.100.10" ] }'
hostsubnet.network.openshift.io/node001-edge-4lrp9 patched

 

The oc get hostsubnet command can then be used to see that the node has the egress IP address listed. In this example, node001-edge-4lrp9 now includes egress IP address 10.10.100.10.

~]$ oc get hostsubnet node001-edge-4lrp9
NAME                   HOST                   HOST IP        SUBNET         EGRESS CIDRS       EGRESS IPS 
node001-edge-4lrp9     node001-edge-4lrp9     10.10.100.1    10.10.0.0/23   ["10.10.100.0/24"] ["10.10.100.1","10.10.100.2","10.10.100.3","10.10.100.10"]

 

And here is how you can replace the IP address.

~]# oc patch netnamespace my-project --type merge --patch '{ "egressIPs": [ "10.10.100.11" ] }'
netnamespace.network.openshift.io/my-project patched

 

Or using the JSON type.

~]# oc patch netnamespace my-project --type json --patch '[{ "op": "replace", "path": "/egressIPs", "value": [ "10.10.100.11" ] }]'
netnamespace.network.openshift.io/my-project patched

 

And here is how you can remove the egress IPs.

~]# oc patch netnamespace my-project --type json --patch '[{ "op": "remove", "path": "/egressIPs" }]'
netnamespace.network.openshift.io/my-project patched

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter f8f12 in the box below so that we can be sure you are a human.