The EgressFirewall feature enables a cluster administrator to limit the external hosts that a pod in a project can access. The EgressFirewall object rules apply to all pods that share the namespace with the egressfirewall object. A namespace only supports having one EgressFirewallObject.
The yaml below is an example of a simple egressFirewall object
kind: EgressFirewall apiVersion: k8s.ovn.org/v1 metadata: name: default namespace: default spec: egress: - type: Allow to: cidrSelector: 220.127.116.11/24 - type: Allow to: cidrSelector: 18.104.22.168/24 ports: - protocol: UDP port: 55 - type: Deny to: cidrSelector: 0.0.0.0/0
This example allows Pods in the default namespace to connect to any external host within the range 22.214.171.124 to 126.96.36.199 and in addtion allows traffic to 188.8.131.52 to 184.108.40.206 only for the UDP protocol on port number 55 and denies traffic to all other external hosts. The ports section is optional and allows the user to specify specific ports to and protocols to allow or deny traffic.
The priority of a rule is determined by its placement in the egress array. An earlier rule is processed before a later rule. In the previous example, if the rules are reversed, all traffic is denied, including any traffic to hosts in the 220.127.116.11/24 CIDR block.