apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: name: default namespace: <namespace> (1) spec: egress: - to: cidrSelector: <api_server_address_range> (2) type: Allow # ... - to: cidrSelector: 0.0.0.0/0 (3) type: Deny
As a cluster administrator, you can create an egress firewall for a project that restricts egress traffic leaving your OKD cluster.
As a cluster administrator, you can use an egress firewall to limit the external hosts that some or all pods can access from within the cluster. An egress firewall supports the following scenarios:
A pod can only connect to internal hosts and cannot initiate connections to the public Internet.
A pod can only connect to the public Internet and cannot initiate connections to internal hosts that are outside the OKD cluster.
A pod cannot reach specified internal subnets or hosts outside the OKD cluster.
A pod can connect to only specific external hosts.
For example, you can allow one project access to a specified IP range but deny the same access to a different project. Or you can restrict application developers from updating from Python pip mirrors, and force updates to come only from approved sources.
You configure an egress firewall policy by creating an EgressFirewall custom resource (CR) object. The egress firewall matches network traffic that meets any of the following criteria:
An IP address range in CIDR format
A port number
A protocol that is one of the following protocols: TCP, UDP, and SCTP
If your egress firewall includes a deny rule for
To find the IP address for your API servers, run
For more information, see BZ#1988324.
Egress firewall rules do not apply to traffic that goes through routers. Any user with permission to create a Route CR object can bypass egress firewall policy rules by creating a route that points to a forbidden destination.
An egress firewall has the following limitations:
No project can have more than one EgressFirewall object.
A maximum of one EgressFirewall object with a maximum of 8,000 rules can be defined per project.
Violating any of these restrictions results in a broken egress firewall for the project, and may cause all external network traffic to be dropped.
You can define one or more rules for an egress firewall. A rule is either an
Allow rule or a
Deny rule, with a specification for the traffic that the rule applies to.
The following YAML describes an EgressFirewall CR object:
apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: name: <name> (1) spec: egress: (2) ...
|1||The name for the object must be
|2||A collection of one or more egress network policy rules as described in the following section.|
The following YAML describes an egress firewall rule object. The
egress stanza expects an array of one or more objects.
egress: - type: <type> (1) to: (2) cidrSelector: <cidr> (3) ports: (4) ...
|1||The type of rule. The value must be either
|2||A stanza describing an egress traffic match rule.|
|3||An IP address range in CIDR format.|
|4||Optional: A stanza describing a collection of network ports and protocols for the rule.|
ports: - port: <port> (1) protocol: <protocol> (2)
|1||A network port, such as
|2||A network protocol. The value must be either
The following example defines several egress firewall policy rules:
apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: name: default spec: egress: (1) - type: Allow to: cidrSelector: 126.96.36.199/24 - type: Deny to: cidrSelector: 0.0.0.0/0
|1||A collection of egress firewall policy rule objects.|
The following example defines a policy rule that denies traffic to the host at the
172.16.1.1 IP address, if the traffic is using either the TCP protocol and destination port
80 or any protocol and destination port
apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: name: default spec: egress: - type: Deny to: cidrSelector: 172.16.1.1 ports: - port: 80 protocol: TCP - port: 443
As a cluster administrator, you can create an egress firewall policy object for a project.
If the project already has an EgressFirewall object defined, you must edit the existing policy to make changes to the egress firewall rules.
A cluster that uses the OVN-Kubernetes default Container Network Interface (CNI) network provider plug-in.
Install the OpenShift CLI (
You must log in to the cluster as a cluster administrator.
Create a policy rule:
<policy_name>.yaml file where
<policy_name> describes the egress
In the file you created, define an egress policy object.
Enter the following command to create the policy object. Replace
<policy_name> with the name of the policy and
<project> with the project that the rule applies to.
$ oc create -f <policy_name>.yaml -n <project>
In the following example, a new EgressFirewall object is created in a project named
$ oc create -f default.yaml -n project1
Optional: Save the
<policy_name>.yaml file so that you can make changes later.