If your egress firewall includes a deny rule for 0.0.0.0/0 , access to your OKD API servers is blocked. You must include the IP address range that the API servers listen on in your egress firewall rules.
If you use the OVN-Kubernetes network plugin, you must include the built-in join network 100.64.0.0/16 to allow access when using node ports together with an egress firewall. If you changed this join network during cluster installation, use the value that you specified instead of 100.64.0.0/16 .
The following example illustrates the order of the egress firewall rules necessary to ensure API server access:
apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
name: default
namespace: <namespace> (1)
spec:
egress:
- to:
cidrSelector: <api_server_address_range> (2)
type: Allow
# ...
- to:
cidrSelector: 0.0.0.0/0 (3)
type: Deny
1 |
The namespace for the egress firewall. |
2 |
The IP address range that includes your OKD API servers. |
3 |
A global deny rule prevents access to the OKD API servers. |
To find the IP address for your API servers, run oc get ep kubernetes -n default .
|