mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
77 lines
2.4 KiB
Plaintext
77 lines
2.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/openshift_sdn/configuring-egress-firewall.adoc
|
|
|
|
[id="nw-egressnetworkpolicy-object_{context}"]
|
|
= EgressNetworkPolicy custom resource (CR)
|
|
|
|
You can define one or more rules for an egress firewall. A rule is either an `Allow` rule or a `Deny` rule, with a specification for the traffic that the rule applies to.
|
|
|
|
The following YAML describes an `EgressNetworkPolicy` CR:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: network.openshift.io/v1
|
|
kind: EgressNetworkPolicy
|
|
metadata:
|
|
name:
|
|
spec:
|
|
egress:
|
|
...
|
|
----
|
|
|
|
where:
|
|
|
|
<name>:: Specifies the name for your egress firewall policy.
|
|
<egress>:: Specifies a collection of one or more egress network policy rules as described in the following section.
|
|
|
|
[id="egressnetworkpolicy-rules_{context}"]
|
|
== EgressNetworkPolicy rules
|
|
|
|
The user can select either an IP address range in CIDR format, a domain name, or use the `nodeSelector` to allow or deny egress traffic. The `egress` stanza expects an array of one or more objects. The following YAML describes an egress firewall rule object.
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
egress:
|
|
- type: <type>
|
|
to:
|
|
cidrSelector: <cidr>
|
|
dnsName: <dns_name>
|
|
nodeSelector: <label_name>: <label_value>
|
|
----
|
|
|
|
where:
|
|
|
|
<type>:: Specifies the type of rule. The value must be either `Allow` or `Deny`.
|
|
<to>:: Specifies a stanza describing an egress traffic match rule that specifies the `cidrSelector` field or the `dnsName` field. You cannot use both fields in the same rule.
|
|
<cidr_range>:: Specifies an IP address range in CIDR format.
|
|
<dns_name>:: Specifies a DNS domain name.
|
|
<nodeSelector>:: Specifies labels which are key and value pairs that the user defines. Labels are attached to objects, such as pods. The `nodeSelector` allows for one or more node labels to be selected and attached to pods.
|
|
// - OVN-Kubernetes does not support DNS
|
|
// - OpenShift SDN does not support port and protocol specification
|
|
|
|
[id="egressnetworkpolicy-example_{context}"]
|
|
== Example EgressNetworkPolicy CR objects
|
|
|
|
The following example defines several egress firewall rules:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: k8s.ovn.org/v1
|
|
kind: EgressNetworkPolicy
|
|
metadata:
|
|
name: default
|
|
spec:
|
|
egress: <1>
|
|
- type: Allow
|
|
to:
|
|
cidrSelector: 1.2.3.0/24
|
|
- type: Deny
|
|
to:
|
|
cidrSelector: 0.0.0.0/0
|
|
----
|
|
+
|
|
where:
|
|
|
|
<egress>:: Specifies a collection of egress firewall policy rule objects.
|