Egress provides a way for an application deployed on OpenShift to send traffic out of the OpenShift cluster. For example, an application in a pod running on OpenShift may want to send a request to https://api.example.com and get a response from api.example.com.

There are two common types of Container Network Interfaces (CNI) used by OpenShift

• OpenShiftSDN
• OVNKubernetes

The following command can be used to determine if your OpenShift cluster is using OpenShiftSDN or OVNKubernetes.

oc get network.config/cluster --output jsonpath="{.spec.networkType}"

It is noteworthy that you may not need to assign an EgressIP address to your OpenShfit namespace to be able to send a request to a URL outside of your OpenShift cluster. The most basic architecture is that the OpenShift Container Network Interface (CNI) (OpenShiftSDN or OVNKubernetes) will translate the pod IP address to the external IP address of the node that the pod is running on. Assuming there is no additional IP or network address translation, when the request reaches the external URL, the request will show as coming from the nodes external IP address.

For example, let's say the pod IP address is 10.11.12.13 and the pod is running on my-node.

~]$ oc get pods --output wide
NAME     READY   STATUS    RESTARTS   AGE   IP             NODE
my-pod   1/1     Running   0          91d   10.11.12.13    my-node

And let's say the nodes external IP address is 10.11.12.15.

~]$ oc get node my-node --output wide
NAME       STATUS   ROLES            AGE    VERSION    INTERNAL-IP    EXTERNAL-IP
my-nodek   Ready    compute,worker   215d   v1.31.11   10.11.12.14    10.11.12.15

In this scenario, the OpenShift Container Network Interface (CNI) (OpenShiftSDN or OVNKubernetes) will translate the pod IP address 10.11.12.13 to the node external IP address 10.11.12.15. Assuming there is no additional IP or network address translation, when the request reaches the external URL, the request will show as coming from the nodes external IP address 10.11.12.15.

An Egress Network Policy is like a firewall with a list of allow and deny rules, to allow or deny requests to certain DNS hostnames and/or IP addresses, as an additional layer of security. This is often used as a sort of zero trust policy, to deny all Egress traffic except for requests that are explicitly allowed.

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

For example, let's say you have a YAML file named EgressNetworkPolicy.yml that contains the following markup. In this example, Egress requests from the namespace are only allowed to 10.45.6.123/24 and www.example.com. All other Egress requests are denied.

• cidrSelector is used to list in IP address subnet that is allowed / denied
• dnsName is used to list a DNS hostname that is allowed / denied

AVOID TROUBLE

The rules are evaluated in order, from the top most rule to the bottom most rule, thus the Deny rule should be the last rule.

apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
  name: egress-rules
  namespace: my-project
spec:
  egress:
  - type: Allow
    to:
      cidrSelector: 10.45.6.123/24
  - type: Allow
    to:
      dnsName: www.example.com
  - type: Deny
    to:
      cidrSelector: 0.0.0.0/0

The oc apply or oc create command with the -f or --filename option can be used to create egress rules using the template JSON or YAML file.

The oc replace command can be used to replace the egress rules using a new or updated template JSON or YAML file.

The oc edit command can be used to update the egress rules.

AVOID TROUBLE

There can only be one egressnetworkpolicy in a project / namespace

~]$ oc create --filename EgressNetworkPolicy.yml 
egressnetworkpolicy.network.openshift.io/egress-rules created

The oc get egressnetworkpolicy command can then be used to confirm that the egress network policy exists.

~]$ oc get egressnetworkpolicy
NAME           AGE
egress-rules   115s

The oc describe egressnetworkpolicy command can be used to display egress related configuration. In this example, the egress settings for the project/namespace named my-project is displayed. The rules are read in order, which means the deny rule should always be the very last rule.

~]$ oc describe egressnetworkpolicy egress-rules
Name:           egress-rules
Namespace:      my-project
Created:        2 minutes ago
Labels:         <none>
Annotations:    <none>
Rule:           Allow to 10.45.6.123/24
Rule:           Allow to www.example.com
Rule:           Deny to 0.0.0.0/0