OpenShift - List egress rules using the oc get egressnetworkpolicy command

Egress provides a way for an application deployed on OpenShift to access an external URL, such as http://www.example.com.

Optionally, NetNamespace is used to assign an egress IP address to one or more namespaces, so that all egress traffic from the namespace is using a dedicated IP address. By assigning a specific egress IP address to a namespace, all outbound (egress) requests from applications in the project will come from the dedicated egress IP address, making it easier to find the requests that came from applications in the project. This also makes it possible to have two (or more) different projects share the same egress IP address, as a way to group similar projects together.

 

An OpenShift route or an Ingress route will provide a URL such as http://route001-project001.apps.openshift.example.com:8080 which is used to route a request onto a service, which is then routed onto a pod, and then to the container in the pod, and finally to the application running in the container.

 

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The oc get egressnetworkpolicy command can be used to list the egress rules in your currently selected project / namespace. In this example, no egress rules have been created.

TIP

The -A or --all-namespaces flag can be used to list the egress network policies in every project / namespace.

The -n or --namespace flag can be used to list the egress network policy in a certain project / namespace.

~]$ oc get egressnetworkpolicy
No resources found in default namespace.

 

In this example, there is an egress network policy named egress-traffic.

~]$ oc get egressnetworkpolicy --namespace foo
NAME             AGE
egress-traffic   630d

 

The -A or --all-namespaces command can be used to list the egress network policies in each project / namespace.

~]$ oc get egressnetworkpolicy --all-namespaces
NAMESPACE           NAME                  AGE
project001          egress-traffic        543d
project002          egress-traffic        650d
project003          egress-traffic        650d

 

The oc describe egressnetworkpolicy command can be used to display egress related configuration. In this example, the egress settings for the project/namespace named foo is displayed. The rules are read in order, which means the deny rule should always be the very last rule.

~]$ oc describe egressnetworkpolicy egress-traffic --namespace foo
Name:        egress-traffic
Namespace:   project001
Created:     10 months ago
Labels:      <none>
Annotations: <none>
Rule:        Allow to 10.7.19.24
Rule:        Deny to 0.0.0.0/0

 

Or, the oc get egressnetworkpolicy command with the --output json‚Äč or --output yaml option can be used.

~]$ oc get egressnetworkpolicy egress-traffic --output json
{
    "apiVersion": "network.openshift.io/v1",
    "kind": "EgressNetworkPolicy",
    "metadata": {
        "creationTimestamp": "2022-01-05T14:56:39Z",
        "generation": 26,
        "managedFields": [
            {
                "apiVersion": "network.openshift.io/v1",
                "fieldsType": "FieldsV1",
                "fieldsV1": {
                    "f:spec": {
                        ".": {},
                        "f:egress": {}
                    }
                },
                "manager": "HashiCorp",
                "operation": "Update",
                "time": "2022-01-05T14:56:39Z"
            }
        ],
        "name": "egress-traffic",
        "namespace": "enterprise-services",
        "resourceVersion": "979952915",
        "uid": "07519a24-ad2d-4f6f-89b9-5d30aab6bf9f"
    },
    "spec": {
        "egress": [
            {
                "to": {
                    "cidrSelector": "10.7.19.0/24"
                },
                "type": "Allow"
            },
            {
                "to": {
                    "cidrSelector": "0.0.0.0/0"
                },
                "type": "Deny"
            }
        ]
    }
}

 

The --output jsonpath option can be used to print the value of a specific JSON key.

~]$ oc get egressnetworkpolicy egress-traffic --output jsonpath={.spec.egress[*].to.cidrSelector}
10.87.188.21/32 0.0.0.0/0

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter a0ee7 in the box below so that we can be sure you are a human.