As a cluster administrator, you can use an egress firewall to limit the external hosts that some or all pods can access from within the cluster. An egress firewall supports the following scenarios:
 
- 
A pod can only connect to internal hosts and cannot start connections to
the public internet. 
- 
A pod can only connect to the public internet and cannot start connections
to internal hosts that are outside the OKD cluster. 
- 
A pod cannot reach specified internal subnets or hosts outside the OKD cluster. 
- 
A pod can connect to only specific external hosts. 
 
For example, you can allow one project access to a specified IP range but deny the same access to a different project. Or you can restrict application developers from updating from Python pip mirrors, and force updates to come only from approved sources.
 
|  | 
Egress firewall does not apply to the host network namespace. Egress firewall rules do not impact any pods that have host networking enabled. | 
 
You configure an egress firewall policy by creating an EgressFirewall custom resource (CR) object. The egress firewall matches network traffic that meets any of the following criteria:
 
- 
An IP address range in CIDR format 
- 
A DNS name that resolves to an IP address 
- 
A port number 
- 
A protocol that is one of the following protocols: TCP, UDP, and SCTP 
 
|  | 
If your egress firewall includes a deny rule for 0.0.0.0/0, the rule blocks access to your OKD API servers. You must either add allow rules for each IP address or use thenodeSelectortype allow rule in your egress policy rules to connect to API servers. 
The following example illustrates the order of the egress firewall rules necessary to ensure API server access: 
apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
  name: default
  namespace: <namespace> (1)
spec:
  egress:
  - to:
      cidrSelector: <api_server_address_range> (2)
    type: Allow
# ...
  - to:
      cidrSelector: 0.0.0.0/0 (3)
    type: Deny
 
| 1 | The namespace for the egress firewall. |  
| 2 | The IP address range that includes your OKD API servers. |  
| 3 | A global deny rule prevents access to the OKD API servers. |  
To find the IP address for your API servers, run oc get ep kubernetes -n default. | 
 
|  | 
Egress firewall rules do not apply to traffic that goes through routers. Any user with permission to create a Route CR object can bypass egress firewall policy rules by creating a route that points to a forbidden destination. | 
 
Limitations of an egress firewall
An egress firewall has the following limitations:
 
- 
No project can have more than one EgressFirewall object. 
- 
A maximum of one EgressFirewall object with a maximum of 8,000 rules can be defined per project. 
- 
If you use the OVN-Kubernetes network plugin and you configured falsefor theroutingViaHostparameter in theNetworkcustom resource for your cluster, egress firewall rules impact the return ingress replies. If the egress firewall rules drop the ingress reply destination IP, the traffic is dropped.
 
 
Violating any of these restrictions results in a broken egress firewall for the project. As a result, all external network traffic drops, which can cause security risks for your organization.
 
You can create an Egress Firewall resource in the kube-node-lease, kube-public, kube-system, openshift and openshift- projects.
 
 
Matching order for egress firewall policy rules
The OVN-Kubernetes network plugin evaluates egress firewall policy rules based on the first-to-last order of how you defined the rules. The first rule that matches an egress connection from a pod applies. The plugin ignores any subsequent rules for that connection.
 
 
Domain Name Server (DNS) resolution
If you use DNS names in any of your egress firewall policy rules, proper resolution of the domain names is subject to the following restrictions:
 
- 
Domain name updates are polled based on a time-to-live (TTL) duration. By default, the duration is 30 minutes. When the egress firewall controller queries the local name servers for a domain name, if the response includes a TTL and the TTL is less than 30 minutes, the controller sets the duration for that DNS name to the returned value. Each DNS name is queried after the TTL for the DNS record expires. 
- 
The pod must resolve the domain from the same local name servers when necessary. Otherwise the IP addresses for the domain known by the egress firewall controller and the pod can be different. If the IP addresses for a hostname differ, consistent enforcement of the egress firewall does not apply. 
- 
Because the egress firewall controller and pods asynchronously poll the same local name server, the pod might obtain the updated IP address before the egress controller does, which causes a race condition. Due to this current limitation, domain name usage in EgressFirewall objects is only recommended for domains with infrequent IP address changes. 
 
|  | 
Using DNS names in your egress firewall policy does not affect local DNS resolution through CoreDNS. 
If your egress firewall policy uses domain names, and an external DNS server handles DNS resolution for an affected pod, you must include egress firewall rules that allow access to the IP addresses of your DNS server. | 
 
Improved DNS resolution and resolving wildcard domain names
There might be situations where the IP addresses associated with a DNS record change frequently, or you might want to specify wildcard domain names in your egress firewall policy rules.
 
In this situation, the OVN-Kubernetes cluster manager creates a DNSNameResolver custom resource object for each unique DNS name used in your egress firewall policy rules. This custom resource stores the following information:
 
|  | 
Improved DNS resolution for egress firewall rules is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. | 
 
Example DNSNameResolver CR definition
apiVersion: networking.openshift.io/v1alpha1
kind: DNSNameResolver
spec:
  name: www.example.com. (1)
status:
  resolvedNames:
  - dnsName: www.example.com. (2)
    resolvedAddress:
    - ip: "1.2.3.4" (3)
      ttlSeconds: 60 (4)
      lastLookupTime: "2023-08-08T15:07:04Z" (5)
 
 
| 1 | The DNS name. This can be either a standard DNS name or a wildcard DNS name. For a wildcard DNS name, the DNS name resolution information contains all of the DNS names that match the wildcard DNS name. | 
| 2 | The resolved DNS name matching the spec.namefield. If thespec.namefield contains a wildcard DNS name, then multiplednsNameentries are created that contain the standard DNS names that match the wildcard DNS name when resolved. If the wildcard DNS name can also be successfully resolved, then this field also stores the wildcard DNS name. | 
| 3 | The current IP addresses associated with the DNS name. | 
| 4 | The last time-to-live (TTL) duration. | 
| 5 | The last lookup time. | 
 
If during DNS resolution the DNS name in the query matches any name defined in a DNSNameResolver CR, then the previous information is updated accordingly in the CR status field. For unsuccessful DNS wildcard name lookups, the request is retried after a default TTL of 30 minutes.
 
The OVN-Kubernetes cluster manager watches for updates to an EgressFirewall custom resource object, and creates, modifies, or deletes DNSNameResolver CRs associated with those egress firewall policies when that update occurs.
 
|  | 
Do not modify DNSNameResolvercustom resources directly. This can lead to unwanted behavior of your egress firewall. |