As a cluster administrator, you can use an egress firewall to
limit the external hosts that some or all pods can access from within the
cluster. An egress firewall supports the following scenarios:
-
A pod can only connect to internal hosts and cannot initiate connections to
the public internet.
-
A pod can only connect to the public internet and cannot initiate connections
to internal hosts that are outside the OKD cluster.
-
A pod cannot reach specified internal subnets or hosts outside the OKD cluster.
-
A pod can connect to only specific external hosts.
For example, you can allow one project access to a specified IP range but deny the same access to a different project. Or you can restrict application developers from updating from Python pip mirrors, and force updates to come only from approved sources.
|
egress firewall does not apply to the host network namespace. Pods with host networking enabled are unaffected by egress firewall rules.
|
You configure an egress firewall policy by creating an egressNetworkPolicy custom resource (CR) object. The egress firewall matches network traffic that meets any of the following criteria:
|
If your egress firewall includes a deny rule for 0.0.0.0/0 , access to your OKD API servers is blocked. To ensure that pods can access the OKD API servers, you must include the built-in join network 100.64.0.0/16 of Open Virtual Network (OVN) to allow access when using node ports together with an egressFirewall. You must also include the IP address range that the API servers listen on in your egress firewall rules, as in the following example:
apiVersion: network.openshift.io/v1
kind: egressNetworkPolicy
metadata:
name: default
namespace: <namespace> (1)
spec:
egress:
- to:
cidrSelector: <api_server_address_range> (2)
type: Allow
# ...
- to:
cidrSelector: 0.0.0.0/0 (3)
type: Deny
1 |
The namespace for the egress firewall. |
2 |
The IP address range that includes your OKD API servers. |
3 |
A global deny rule prevents access to the OKD API servers. |
To find the IP address for your API servers, run oc get ep kubernetes -n default .
|
|
You must have OpenShift SDN configured to use either the network policy or multitenant mode to configure an egress firewall.
If you use network policy mode, an egress firewall is compatible with only one policy per namespace and will not work with projects that share a network, such as global projects.
|
|
egress firewall rules do not apply to traffic that goes through routers. Any user with permission to create a Route CR object can bypass egress firewall policy rules by creating a route that points to a forbidden destination.
|
Limitations of an egress firewall
An egress firewall has the following limitations:
-
No project can have more than one egressNetworkPolicy object.
-
A maximum of one egressNetworkPolicy object with a maximum of 1,000 rules can be defined per project.
-
The default
project cannot use an egress firewall.
-
When using the OpenShift SDN default Container Network Interface (CNI) network provider in multitenant mode, the following limitations apply:
-
Global projects cannot use an egress firewall. You can make a project global by using the oc adm pod-network make-projects-global
command.
-
Projects merged by using the oc adm pod-network join-projects
command cannot use an egress firewall in any of the joined projects.
Violating any of these restrictions results in a broken egress firewall for the project, and might cause all external network traffic to be dropped.
An egress Firewall resource can be created in the kube-node-lease
, kube-public
, kube-system
, openshift
and openshift-
projects.
Matching order for egress firewall policy rules
The egress firewall policy rules are evaluated in the order that they are defined, from first to last. The first rule that matches an egress connection from a pod applies. Any subsequent rules are ignored for that connection.
How Domain Name Server (DNS) resolution works
If you use DNS names in any of your egress firewall policy rules, proper resolution of the domain names is subject to the following restrictions:
-
Domain name updates are polled based on a time-to-live (TTL) duration. By default, the duration is 30 seconds. When the egress firewall controller queries the local name servers for a domain name, if the response includes a TTL that is less than 30 seconds, the controller sets the duration to the returned value. If the TTL in the response is greater than 30 minutes, the controller sets the duration to 30 minutes. If the TTL is between 30 seconds and 30 minutes, the controller ignores the value and sets the duration to 30 seconds.
-
The pod must resolve the domain from the same local name servers when necessary. Otherwise the IP addresses for the domain known by the egress firewall controller and the pod can be different. If the IP addresses for a hostname differ, the egress firewall might not be enforced consistently.
-
Because the egress firewall controller and pods asynchronously poll the same local name server, the pod might obtain the updated IP address before the egress controller does, which causes a race condition. Due to this current limitation, domain name usage in egressNetworkPolicy objects is only recommended for domains with infrequent IP address changes.
|
The egress firewall always allows pods access to the external interface of the node that the pod is on for DNS resolution.
If you use domain names in your egress firewall policy and your DNS resolution is not handled by a DNS server on the local node, then you must add egress firewall rules that allow access to your DNS server’s IP addresses. if you are using domain names in your pods.
|