As a cluster administrator, you can modify network traffic rules for an existing egress firewall.

Editing an EgressNetworkPolicy object

As a cluster administrator, you can update the egress firewall for a project.

Prerequisites
  • A cluster using the OpenShift SDN network plug-in.

  • Install the OpenShift CLI (oc).

  • You must log in to the cluster as a cluster administrator.

Procedure

To edit an existing egress network policy object for a project, complete the following steps:

  1. Find the name of the EgressNetworkPolicy object for the project. Replace <project> with the name of the project.

    $ oc get -n <project> egressnetworkpolicy
  2. Optional: If you did not save a copy of the EgressNetworkPolicy object when you created the egress network firewall, enter the following command to create a copy.

    $ oc get -n <project> \ (1)
      egressnetworkpolicy <name> \ (2)
      -o yaml > <filename>.yaml (3)
    1 Replace <project> with the name of the project
    2 Replace <name> with the name of the object.
    3 Replace <filename> with the name of the file to save the YAML.
  3. Enter the following command to replace the EgressNetworkPolicy object. Replace <filename> with the name of the file containing the updated EgressNetworkPolicy object.

    $ oc replace -f <filename>.yaml

EgressNetworkPolicy custom resource (CR) object

The following YAML describes an EgressNetworkPolicy CR object:

apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
  name: <name> (1)
spec:
  egress: (2)
    ...
1 Specify a name for your egress firewall policy.
2 Specify a collection of one or more egress network policy rules as described in the following section.

EgressNetworkPolicy rules

The following YAML describes an egress firewall rule object. The egress key expects an array of one or more objects.

egress:
- type: <type> (1)
  to: (2)
    cidrSelector: <cidr> (3)
    dnsName: <dns-name> (4)
1 Specify the type of rule. The value must be either Allow or Deny.
2 Specify a value for either the cidrSelector key or the dnsName key for the rule. You cannot use both keys in a rule.
3 Specify an IP address range in CIDR format.
4 Specify a domain name.

Example EgressNetworkPolicy CR object

The following example defines several egress firewall policy rules:

apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
  name: default-rules (1)
spec:
  egress: (2)
  - type: Allow
    to:
      cidrSelector: 1.2.3.0/24
  - type: Allow
    to:
      dnsName: www.example.com
  - type: Deny
    to:
      cidrSelector: 0.0.0.0/0
1 The name for the policy object.
2 A collection of egress firewall policy rule objects.