$ oc patch netnamespace <project_name> --type=merge -p \
'{
"egressIPs": [
"<ip_address>"
]
}'
As a cluster administrator, you can configure the OpenShift SDN default Container Network Interface (CNI) network provider to assign one or more egress IP addresses to a project.
By configuring an egress IP address for a project, all outgoing external connections from the specified project will share the same, fixed source IP address. External resources can recognize traffic from a particular project based on the egress IP address. An egress IP address assigned to a project is different from the egress router, which is used to send traffic to specific destinations.
Egress IP addresses are implemented as additional IP addresses on the primary network interface of the node and must be in the same subnet as the node’s primary IP address.
Egress IP addresses must not be configured in any Linux network configuration files, such as Egress IPs on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure are supported only on OpenShift Container Platform version 4.10 and later. Allowing additional IP addresses on the primary network interface might require extra configuration when using some cloud or virtual machines solutions. |
You can assign egress IP addresses to namespaces by setting the egressIPs
parameter of the NetNamespace
object. After an egress IP is associated with a project, OpenShift SDN allows you to assign egress IPs to hosts in two ways:
In the automatically assigned approach, an egress IP address range is assigned to a node.
In the manually assigned approach, a list of one or more egress IP address is assigned to a node.
Namespaces that request an egress IP address are matched with nodes that can host those egress IP addresses, and then the egress IP addresses are assigned to those nodes.
If the egressIPs
parameter is set on a NetNamespace
object, but no node hosts that egress IP address, then egress traffic from the namespace will be dropped.
High availability of nodes is automatic. If a node that hosts an egress IP address is unreachable and there are nodes that are able to host that egress IP address, then the egress IP address will move to a new node. When the unreachable node comes back online, the egress IP address automatically moves to balance egress IP addresses across nodes.
The following limitations apply when using egress IP addresses with the OpenShift SDN cluster network provider:
|
If you use OpenShift SDN in multitenant mode, you cannot use egress IP addresses with any namespace that is joined to another namespace by the projects that are associated with them.
For example, if |
When using the automatic assignment approach for egress IP addresses the following considerations apply:
You set the egressCIDRs
parameter of each node’s HostSubnet
resource to indicate the range of egress IP addresses that can be hosted by a node.
OpenShift Container Platform sets the egressIPs
parameter of the HostSubnet
resource based on the IP address range you specify.
If the node hosting the namespace’s egress IP address is unreachable, OpenShift Container Platform will reassign the egress IP address to another node with a compatible egress IP address range. The automatic assignment approach works best for clusters installed in environments with flexibility in associating additional IP addresses with nodes.
This approach is used for clusters where there can be limitations on associating additional IP addresses with nodes such as in public cloud environments.
When using the manual assignment approach for egress IP addresses the following considerations apply:
You set the egressIPs
parameter of each node’s HostSubnet
resource to indicate the IP addresses that can be hosted by a node.
Multiple egress IP addresses per namespace are supported.
If a namespace has multiple egress IP addresses and those addresses are hosted on multiple nodes, the following additional considerations apply:
If a pod is on a node that is hosting an egress IP address, that pod always uses the egress IP address on the node.
If a pod is not on a node that is hosting an egress IP address, that pod uses an egress IP address at random.
In OpenShift Container Platform you can enable automatic assignment of an egress IP address for a specific namespace across one or more nodes.
You have access to the cluster as a user with the cluster-admin
role.
You have installed the OpenShift CLI (oc
).
Update the NetNamespace
object with the egress IP address using the
following JSON:
$ oc patch netnamespace <project_name> --type=merge -p \
'{
"egressIPs": [
"<ip_address>"
]
}'
where:
<project_name>
Specifies the name of the project.
<ip_address>
Specifies one or more egress IP addresses for the egressIPs
array.
For example, to assign project1
to an IP address of 192.168.1.100 and
project2
to an IP address of 192.168.1.101:
$ oc patch netnamespace project1 --type=merge -p \
'{"egressIPs": ["192.168.1.100"]}'
$ oc patch netnamespace project2 --type=merge -p \
'{"egressIPs": ["192.168.1.101"]}'
Because OpenShift SDN manages the |
Indicate which nodes can host egress IP addresses by setting the egressCIDRs
parameter for each host using the following JSON:
$ oc patch hostsubnet <node_name> --type=merge -p \
'{
"egressCIDRs": [
"<ip_address_range>", "<ip_address_range>"
]
}'
where:
<node_name>
Specifies a node name.
<ip_address_range>
Specifies an IP address range in CIDR format. You can specify more than one address range for the egressCIDRs
array.
For example, to set node1
and node2
to host egress IP addresses
in the range 192.168.1.0 to 192.168.1.255:
$ oc patch hostsubnet node1 --type=merge -p \
'{"egressCIDRs": ["192.168.1.0/24"]}'
$ oc patch hostsubnet node2 --type=merge -p \
'{"egressCIDRs": ["192.168.1.0/24"]}'
OpenShift Container Platform automatically assigns specific egress IP addresses to
available nodes in a balanced way. In this case, it assigns the egress IP
address 192.168.1.100 to node1
and the egress IP address 192.168.1.101 to
node2
or vice versa.
In OpenShift Container Platform you can associate one or more egress IP addresses with a namespace.
You have access to the cluster as a user with the cluster-admin
role.
You have installed the OpenShift CLI (oc
).
Update the NetNamespace
object by specifying the following JSON
object with the desired IP addresses:
$ oc patch netnamespace <project_name> --type=merge -p \
'{
"egressIPs": [
"<ip_address>"
]
}'
where:
<project_name>
Specifies the name of the project.
<ip_address>
Specifies one or more egress IP addresses for the egressIPs
array.
For example, to assign the project1
project to the IP addresses 192.168.1.100
and 192.168.1.101
:
$ oc patch netnamespace project1 --type=merge \
-p '{"egressIPs": ["192.168.1.100","192.168.1.101"]}'
To provide high availability, set the egressIPs
value to two or more IP addresses on different nodes. If multiple egress IP addresses are set, then pods use all egress IP addresses roughly equally.
Because OpenShift SDN manages the |
Manually assign the egress IP to the node hosts. Set the egressIPs
parameter
on the HostSubnet
object on the node host. Using the following JSON, include
as many IP addresses as you want to assign to that node host:
$ oc patch hostsubnet <node_name> --type=merge -p \
'{
"egressIPs": [
"<ip_address>",
"<ip_address>"
]
}'
where:
<node_name>
Specifies a node name.
<ip_address>
Specifies an IP address. You can specify more than one IP address for the egressIPs
array.
For example, to specify that node1
should have the egress IPs 192.168.1.100
,
192.168.1.101
, and 192.168.1.102
:
$ oc patch hostsubnet node1 --type=merge -p \
'{"egressIPs": ["192.168.1.100", "192.168.1.101", "192.168.1.102"]}'
In the previous example, all egress traffic for project1
will be routed to the node hosting the specified egress IP, and then connected through Network Address Translation (NAT) to that IP address.