[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

blocking egress traffic globally on a specific interface



Hello,

I have an OpenShift cluster where each node has two interfaces: a public for accessing the outside world, and another interface for an internal management network.

I would like to configure the firewall in all nodes so that the egress traffic of the pods can go through the public interface, but not to the management network. Basically I would like to globaly add a firewall rule like "-I FORWARD -i tun0 -o eth1 -j DROP" (where eth1 is the interface of the management network).

I have been looking through the firewall rules as managed by openshift (origin 1.5), but it seems that the very first rule in the FORWARD table will accept all egress traffic:

  209 17556 ACCEPT     all  --  *      *       10.254.0.0/16        0.0.0.0/0           
  209 17556 ACCEPT     all  --  *      *       0.0.0.0/0            10.254.0.0/16       

(10.254.0.0/16 is the cluster network).

EgressNetworkPolicy is not an option because it does not work for global projects and projects with joined networks. I want to set this rule for all projects and all pods.

Any ideas?

Regards,
Miklos

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]