Hello, I have an OpenShift cluster where each node has two interfaces: a public for accessing the outside world, and another interface for an internal management network.
I would like to configure the firewall in all nodes so that the egress traffic of the pods can go through the public interface, but not to the management network. Basically I would like to globaly add a firewall rule like "-I FORWARD -i tun0 -o eth1 -j DROP" (where eth1 is the interface of the management network). I have been looking through the firewall rules as managed by openshift (origin 1.5), but it seems that the very first rule in the FORWARD table will accept all egress traffic: 209 17556 ACCEPT all -- * * 10.254.0.0/16 0.0.0.0/0 209 17556 ACCEPT all -- * * 0.0.0.0/0 10.254.0.0/16 (10.254.0.0/16 is the cluster network). EgressNetworkPolicy is not an option because it does not work for global projects and projects with joined networks. I want to set this rule for all projects and all pods. Any ideas? Regards, Miklos
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
