Search

Chapter 6. EgressFirewall [k8s.ovn.org/v1]

download PDF
Description
EgressFirewall describes the current egress firewall for a Namespace. Traffic from a pod to an IP address outside the cluster will be checked against each EgressFirewallRule in the pod’s namespace’s EgressFirewall, in order. If no rule matches (or no EgressFirewall is present) then the traffic will be allowed by default.
Type
object
Required
  • spec

6.1. Specification

PropertyTypeDescription

apiVersion

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind

string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata

ObjectMeta

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

spec

object

Specification of the desired behavior of EgressFirewall.

status

object

Observed status of EgressFirewall

6.1.1. .spec

Description
Specification of the desired behavior of EgressFirewall.
Type
object
Required
  • egress
PropertyTypeDescription

egress

array

a collection of egress firewall rule objects

egress[]

object

EgressFirewallRule is a single egressfirewall rule object

6.1.2. .spec.egress

Description
a collection of egress firewall rule objects
Type
array

6.1.3. .spec.egress[]

Description
EgressFirewallRule is a single egressfirewall rule object
Type
object
Required
  • to
  • type
PropertyTypeDescription

ports

array

ports specify what ports and protocols the rule applies to

ports[]

object

EgressFirewallPort specifies the port to allow or deny traffic to

to

object

to is the target that traffic is allowed/denied to

type

string

type marks this as an "Allow" or "Deny" rule

6.1.4. .spec.egress[].ports

Description
ports specify what ports and protocols the rule applies to
Type
array

6.1.5. .spec.egress[].ports[]

Description
EgressFirewallPort specifies the port to allow or deny traffic to
Type
object
Required
  • port
  • protocol
PropertyTypeDescription

port

integer

port that the traffic must match

protocol

string

protocol (tcp, udp, sctp) that the traffic must match.

6.1.6. .spec.egress[].to

Description
to is the target that traffic is allowed/denied to
Type
object
PropertyTypeDescription

cidrSelector

string

cidrSelector is the CIDR range to allow/deny traffic to. If this is set, dnsName and nodeSelector must be unset.

dnsName

string

dnsName is the domain name to allow/deny traffic to. If this is set, cidrSelector and nodeSelector must be unset. For a wildcard DNS name, the '' will match only one label. Additionally, only a single '' can be used at the beginning of the wildcard DNS name. For example, '*.example.com' will match 'sub1.example.com' but won’t match 'sub2.sub1.example.com'

nodeSelector

object

nodeSelector will allow/deny traffic to the Kubernetes node IP of selected nodes. If this is set, cidrSelector and DNSName must be unset.

6.1.7. .spec.egress[].to.nodeSelector

Description
nodeSelector will allow/deny traffic to the Kubernetes node IP of selected nodes. If this is set, cidrSelector and DNSName must be unset.
Type
object
PropertyTypeDescription

matchExpressions

array

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchExpressions[]

object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

matchLabels

object (string)

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

6.1.8. .spec.egress[].to.nodeSelector.matchExpressions

Description
matchExpressions is a list of label selector requirements. The requirements are ANDed.
Type
array

6.1.9. .spec.egress[].to.nodeSelector.matchExpressions[]

Description
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
Type
object
Required
  • key
  • operator
PropertyTypeDescription

key

string

key is the label key that the selector applies to.

operator

string

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values

array (string)

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

6.1.10. .status

Description
Observed status of EgressFirewall
Type
object
PropertyTypeDescription

messages

array (string)

 

status

string

 

6.2. API endpoints

The following API endpoints are available:

  • /apis/k8s.ovn.org/v1/egressfirewalls

    • GET: list objects of kind EgressFirewall
  • /apis/k8s.ovn.org/v1/namespaces/{namespace}/egressfirewalls

    • DELETE: delete collection of EgressFirewall
    • GET: list objects of kind EgressFirewall
    • POST: create an EgressFirewall
  • /apis/k8s.ovn.org/v1/namespaces/{namespace}/egressfirewalls/{name}

    • DELETE: delete an EgressFirewall
    • GET: read the specified EgressFirewall
    • PATCH: partially update the specified EgressFirewall
    • PUT: replace the specified EgressFirewall
  • /apis/k8s.ovn.org/v1/namespaces/{namespace}/egressfirewalls/{name}/status

    • GET: read status of the specified EgressFirewall
    • PATCH: partially update status of the specified EgressFirewall
    • PUT: replace status of the specified EgressFirewall

6.2.1. /apis/k8s.ovn.org/v1/egressfirewalls

HTTP method
GET
Description
list objects of kind EgressFirewall
Table 6.1. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewallList schema

401 - Unauthorized

Empty

6.2.2. /apis/k8s.ovn.org/v1/namespaces/{namespace}/egressfirewalls

HTTP method
DELETE
Description
delete collection of EgressFirewall
Table 6.2. HTTP responses
HTTP codeReponse body

200 - OK

Status schema

401 - Unauthorized

Empty

HTTP method
GET
Description
list objects of kind EgressFirewall
Table 6.3. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewallList schema

401 - Unauthorized

Empty

HTTP method
POST
Description
create an EgressFirewall
Table 6.4. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 6.5. Body parameters
ParameterTypeDescription

body

EgressFirewall schema

 
Table 6.6. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewall schema

201 - Created

EgressFirewall schema

202 - Accepted

EgressFirewall schema

401 - Unauthorized

Empty

6.2.3. /apis/k8s.ovn.org/v1/namespaces/{namespace}/egressfirewalls/{name}

Table 6.7. Global path parameters
ParameterTypeDescription

name

string

name of the EgressFirewall

HTTP method
DELETE
Description
delete an EgressFirewall
Table 6.8. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

Table 6.9. HTTP responses
HTTP codeReponse body

200 - OK

Status schema

202 - Accepted

Status schema

401 - Unauthorized

Empty

HTTP method
GET
Description
read the specified EgressFirewall
Table 6.10. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewall schema

401 - Unauthorized

Empty

HTTP method
PATCH
Description
partially update the specified EgressFirewall
Table 6.11. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 6.12. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewall schema

401 - Unauthorized

Empty

HTTP method
PUT
Description
replace the specified EgressFirewall
Table 6.13. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 6.14. Body parameters
ParameterTypeDescription

body

EgressFirewall schema

 
Table 6.15. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewall schema

201 - Created

EgressFirewall schema

401 - Unauthorized

Empty

6.2.4. /apis/k8s.ovn.org/v1/namespaces/{namespace}/egressfirewalls/{name}/status

Table 6.16. Global path parameters
ParameterTypeDescription

name

string

name of the EgressFirewall

HTTP method
GET
Description
read status of the specified EgressFirewall
Table 6.17. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewall schema

401 - Unauthorized

Empty

HTTP method
PATCH
Description
partially update status of the specified EgressFirewall
Table 6.18. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 6.19. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewall schema

401 - Unauthorized

Empty

HTTP method
PUT
Description
replace status of the specified EgressFirewall
Table 6.20. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 6.21. Body parameters
ParameterTypeDescription

body

EgressFirewall schema

 
Table 6.22. HTTP responses
HTTP codeReponse body

200 - OK

EgressFirewall schema

201 - Created

EgressFirewall schema

401 - Unauthorized

Empty

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.