Egress IP for OpenShift

Image by Hands off my tags! Michael Gaida from Pixabay

By default out going traffic of the pods are using the hosting node’s IP address to reach to the destination with NAT. Sometimes, the destination might be protected by firewall or the application itself in such a way that only a fixed set of source IPs are allowed to access. For this scenario, you may control the egress traffic of the pods by setting an egress ip for the specific namespace of the pods.

Testing program

Let's create a toy program to print out the client IP address with the following Golang http handler.

func dump(w http.ResponseWriter, r *http.Request) {
 dump, err := httputil.DumpRequest(r, true)
 fmt.Fprintf(w, "IP: %s\n", r.RemoteAddr)
 if err != nil {
  fmt.Fprintf(w, "failed to dump request: %s", err)
 } else {
  fmt.Fprintf(w, "request: %s", dump)
 }
}

Compile and running it outside of the OCP cluster.

Set an egress IP for a namespace

Identify a free IP address within the same subnet of the OCP nodes, say 192.168.10.60, then set the egress IP for a namespace.

oc new-project egress
oc patch netnamespace egress --type=merge -p '{"egressIPs": [ "192.168.10.60"]}'

Set a node to host the egress IP