Cloud Experts Documentation

Configure Network Policies and Egress Firewalls for a ROSA Cluster

Last edited
Published
Authors
Paul Czarkowski
Tags: egressfirewall networkpolicy OSD ROSA security

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

It’s common to want to restrict network access between namespaces, as well as restricting where traffic can go outside of the cluster. OpenShift achieves this with the Network Policy and Egress Firewall resources.

It’s common to use these methods to restrict network traffic alongside Egress IP and other OpenShift and OVN-Kubernetes resources.

Prerequisites

Project Template

The first thing to do is create a Project Template that containes Network Policys and Egress Firewalls with default deny rules

  1. Create and Apply a Project template with default deny rules

    NOTE This template will ensure that any new projects have a default deny rule for egress, and a network policy that only allows traffic to come from an Ingress Controller

  2. Patch the project configuration to use the newly created Project Template

  3. Create a new Project to verify the policies

  4. Check for EgressFirewall

    you should see

  5. Check for NetworkPolicy

    you should see

Test the Network Policy

  1. Create a debug pod in the default namespace to use later

  2. Create a debug pod in the restricted namespace to use later

  3. Deploy a web service and expose it

  4. See if you can access the application via its Route (you should be able to)

    You should see

  5. See if you can access the application via its Route from the default namespace. (again you should be able to)

    You should see

  6. Now try to access the application via its local service from within the same pod (this should succeed due to the Network Policy)

    output

  7. Now try to access the application via its local service (this should fail due to the Network Policy)

    NOTE: To avoid waiting for a long timeout feel free to hit CTRL-C.

    output

Test the Egress Firewall

  1. Verify you can access an external website from the default namespace debug pod (this should work)

    output

  2. Verify that you cannot access an external website from the restricted namespace (this should fail)

    output

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.