Deploying an egress router pod in redirect mode

As a cluster administrator, you can deploy an egress router pod that is configured to redirect traffic to specified destination IP addresses.

Egress router pod specification for redirect mode

Define the configuration for an egress router pod in the Pod object. The following YAML describes the fields for the configuration of an egress router pod in redirect mode:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: egress-1
  5.   labels:
  6.     name: egress-1
  7.   annotations:
  8.     pod.network.openshift.io/assign-macvlan: "true" (1)
  9. spec:
  10.   initContainers:
  11.   - name: egress-router
  12.     image: openshift/origin-egress-router
  13.     securityContext:
  14.       privileged: true
  15.     env:
  16.     - name: EGRESS_SOURCE (2)
  17.       value: <egress_router>
  18.     - name: EGRESS_GATEWAY (3)
  19.       value: <egress_gateway>
  20.     - name: EGRESS_DESTINATION (4)
  21.       value: <egress_destination>
  22.     - name: EGRESS_ROUTER_MODE
  23.       value: init
  24.   containers:
  25.   - name: egress-router-wait
  26.     image: openshift/origin-pod
1Before starting the egress-router container, create a macvlan network interface on the primary network interface and move that interface into the pod network namespace. You must include the quotation marks around the “true” value. To create the macvlan interface on a network interface other than the primary one, set the annotation value to the name of that interface. For example, eth1.
2IP address from the physical network that the node is on that is reserved for use by the egress router pod. Optional: You can include the subnet length, the /24 suffix, so that a proper route to the local subnet is set. If you do not specify a subnet length, then the egress router can access only the host specified with the EGRESS_GATEWAY variable and no other hosts on the subnet.
3Same value as the default gateway used by the node.
4External server to direct traffic to. Using this example, connections to the pod are redirected to 203.0.113.25, with a source IP address of 192.168.12.99.

Example egress router Pod specification

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: egress-multi
  5.   labels:
  6.     name: egress-multi
  7.   annotations:
  8.     pod.network.openshift.io/assign-macvlan: "true"
  9. spec:
  10.   initContainers:
  11.   - name: egress-router
  12.     image: openshift/origin-egress-router
  13.     securityContext:
  14.       privileged: true
  15.     env:
  16.     - name: EGRESS_SOURCE
  17.       value: 192.168.12.99/24
  18.     - name: EGRESS_GATEWAY
  19.       value: 192.168.12.1
  20.     - name: EGRESS_DESTINATION
  21.       value: |
  22.         80   tcp 203.0.113.25
  23.         8080 tcp 203.0.113.26 80
  24.         8443 tcp 203.0.113.26 443
  25.         203.0.113.27
  26.     - name: EGRESS_ROUTER_MODE
  27.       value: init
  28.   containers:
  29.   - name: egress-router-wait
  30.     image: openshift/origin-pod

Egress destination configuration format

When an egress router pod is deployed in redirect mode, you can specify redirection rules by using one or more of the following formats:

  • <port> <protocol> <ip_address> - Incoming connections to the given <port> should be redirected to the same port on the given <ip_address>. <protocol> is either tcp or udp.

  • <port> <protocol> <ip_address> <remote_port> - As above, except that the connection is redirected to a different <remote_port> on <ip_address>.

  • <ip_address> - If the last line is a single IP address, then any connections on any other port will be redirected to the corresponding port on that IP address. If there is no fallback IP address then connections on other ports are rejected.

In the example that follows several rules are defined:

  • The first line redirects traffic from local port 80 to port 80 on 203.0.113.25.

  • The second and third lines redirect local ports 8080 and 8443 to remote ports 80 and 443 on 203.0.113.26.

  • The last line matches traffic for any ports not specified in the previous rules.

Example configuration

  1. 80   tcp 203.0.113.25
  2. 8080 tcp 203.0.113.26 80
  3. 8443 tcp 203.0.113.26 443
  4. 203.0.113.27

Deploying an egress router pod in redirect mode

In redirect mode, an egress router pod sets up iptables rules to redirect traffic from its own IP address to one or more destination IP addresses. Client pods that need to use the reserved source IP address must be modified to connect to the egress router rather than connecting directly to the destination IP.

Prerequisites

  • Install the OpenShift CLI (oc).

  • Log in as a user with cluster-admin privileges.

Procedure

  1. Create an egress router pod.

  2. To ensure that other pods can find the IP address of the egress router pod, create a service to point to the egress router pod, as in the following example:

    1. apiVersion: v1
    2. kind: Service
    3. metadata:
    4.   name: egress-1
    5. spec:
    6.   ports:
    7.   - name: http
    8.     port: 80
    9.   - name: https
    10.     port: 443
    11.   type: ClusterIP
    12.   selector:
    13.     name: egress-1

    Your pods can now connect to this service. Their connections are redirected to the corresponding ports on the external server, using the reserved egress IP address.

Additional resources