$ oc get -n <project> egressnetworkpolicy
As a cluster administrator, you can modify network traffic rules for an existing egress firewall.
As a OpenShift Container Platform cluster administrator, you can update the egress firewall for a project.
A cluster using the OpenShift SDN network plug-in.
Install the OpenShift Command-line Interface (CLI), commonly known as oc
.
You must log in to the cluster as a cluster administrator.
To edit an existing egress network policy object for a project, complete the following steps:
Find the name of the EgressNetworkPolicy object for the project. Replace <project>
with the name of the project.
$ oc get -n <project> egressnetworkpolicy
Optionally, if you did not save a copy of the EgressNetworkPolicy object when you created the egress network firewall, enter the following command to create a copy.
$ oc get -n <project> \ (1) egressnetworkpolicy <name> \ (2) -o yaml > <filename>.yaml (3)
1 | Replace <project> with the name of the project |
2 | Replace <name> with the name of the object. |
3 | Replace <filename> with the name of the file to save the YAML. |
Enter the following command to replace the EgressNetworkPolicy object. Replace <filename>
with the name of the file containing the updated EgressNetworkPolicy object.
$ oc replace -f <filename>.yaml
The following YAML describes an EgressNetworkPolicy CR object:
kind: EgressNetworkPolicy
apiVersion: v1
metadata:
name: <name> (1)
spec:
egress: (2)
...
1 | Specify a name for your egress firewall policy. |
2 | Specify a collection of one or more egress network policy rules as described in the following section. |
The following YAML describes an egress firewall rule object. The egress
key expects an array of one or more objects.
egress:
- type: <type> (1)
to: (2)
cidrSelector: <cidr> (3)
dnsName: <dns-name> (4)
1 | Specify the type of rule. The value must be either Allow or Deny . |
2 | Specify a value for either the cidrSelector key or the dnsName key for the rule. You cannot use both keys in a rule. |
3 | Specify an IP address range in CIDR format. |
4 | Specify a domain name. |
The following example defines several egress firewall policy rules:
kind: EgressNetworkPolicy
apiVersion: v1
metadata:
name: default-rules (1)
spec:
egress: (2)
- type: Allow
to:
cidrSelector: 1.2.3.0/24
- type: Allow
to:
dnsName: www.example.com
- type: Deny
to:
cidrSelector: 0.0.0.0/0
1 | The name for the policy object. |
2 | A collection of egress firewall policy rule objects. |