Egress Block but allow intra cluster communication

I needed to produce a network policy that would allow egress to a single server (for back ups) but otherwise restricted all egress traffic to staying in the cluster.

egress traffic is traffic that starts in side the namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-external-egress
spec:
  egress:
  - to:
    - ipBlock:
        cidr: BACKUPSERVER/32
    - ipBlock:
        cidr: 172.21.0.0/16
    - ipBlock:
        cidr: 10.0.0.0/16
    - ipBlock:
        cidr: OCPExLB/32
  podSelector: {}
  policyTypes:
    - egress

BACKUPSERVER was the SFTP server IP that we were connecting to. This needs to be replaced with an IP Address
OCPExLB was the IP of the external Load Balancer for OCP
172.21.0.0/16 is the service network
10.0.0.0/16 is the pod network network

Chris Phillips’ Blog - API, Integration and Governance

Home

About

Search

Categories

Guest Authors

Egress Block but allow intra cluster communication

ABOUT	APICONNECT	API	DATAPOWER	OPENSHIFT	EVENTSTREAMS	INTEGRATION	DAY2-OPS	ACE
*All opinions expressed here are very much my own or of the author of the article, not those of IBM. All Code provided is provide as is with no support unless otherwise stated.*