Deploying an egress router pod in DNS proxy mode

As a cluster administrator, you can deploy an egress router pod configured to proxy traffic to specified DNS names and IP addresses.

Egress router pod specification for DNS mode

Define the configuration for an egress router pod in the Pod object. The following YAML describes the fields for the configuration of an egress router pod in DNS mode:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. name: egress-1
  5. labels:
  6. name: egress-1
  7. annotations:
  8. pod.network.openshift.io/assign-macvlan: "true" (1)
  9. spec:
  10. initContainers:
  11. - name: egress-router
  12. image: openshift/origin-egress-router
  13. securityContext:
  14. privileged: true
  15. env:
  16. - name: EGRESS_SOURCE (2)
  17. value: <egress-router>
  18. - name: EGRESS_GATEWAY (3)
  19. value: <egress-gateway>
  20. - name: EGRESS_ROUTER_MODE
  21. value: dns-proxy
  22. containers:
  23. - name: egress-router-pod
  24. image: openshift/origin-egress-dns-proxy
  25. securityContext:
  26. privileged: true
  27. env:
  28. - name: EGRESS_DNS_PROXY_DESTINATION (4)
  29. value: |-
  30. ...
  31. - name: EGRESS_DNS_PROXY_DEBUG (5)
  32. value: "1"
  33. ...
1The annotation tells OKD to create a macvlan network interface on the primary network interface controller (NIC) and move that macvlan interface into the pod’s network namespace. You must include the quotation marks around the “true” value. To have OKD create the macvlan interface on a different NIC interface, set the annotation value to the name of that interface. For example, eth1.
2IP address from the physical network that the node is on that is reserved for use by the egress router pod. Optional: You can include the subnet length, the /24 suffix, so that a proper route to the local subnet is set. If you do not specify a subnet length, then the egress router can access only the host specified with the EGRESS_GATEWAY variable and no other hosts on the subnet.
3Same value as the default gateway used by the node.
4Specify a list of one or more proxy destinations.
5Optional: Specify to output the DNS proxy log output to stdout.

Egress destination configuration format

When the router is deployed in DNS proxy mode, you specify a list of port and destination mappings. A destination may be either an IP address or a DNS name.

An egress router pod supports the following formats for specifying port and destination mappings:

Port and remote address

You can specify a source port and a destination host by using the two field format: <port> <remote_address>.

The host can be an IP address or a DNS name. If a DNS name is provided, DNS resolution occurs at runtime. For a given host, the proxy connects to the specified source port on the destination host when connecting to the destination host IP address.

Port and remote address pair example

  1. 80 172.16.12.11
  2. 100 example.com

Port, remote address, and remote port

You can specify a source port, a destination host, and a destination port by using the three field format: <port> <remote_address> <remote_port>.

The three field format behaves identically to the two field version, with the exception that the destination port can be different than the source port.

Port, remote address, and remote port example

  1. 8080 192.168.60.252 80
  2. 8443 web.example.com 443

Deploying an egress router pod in DNS proxy mode

In DNS proxy mode, an egress router pod acts as a DNS proxy for TCP-based services from its own IP address to one or more destination IP addresses.

Prerequisites

  • Install the OpenShift CLI (oc).

  • Log in as a user with cluster-admin privileges.

Procedure

  1. Create an egress router pod.

  2. Create a service for the egress router pod:

    1. Create a file named egress-router-service.yaml that contains the following YAML. Set spec.ports to the list of ports that you defined previously for the EGRESS_DNS_PROXY_DESTINATION environment variable.

      1. apiVersion: v1
      2. kind: Service
      3. metadata:
      4. name: egress-dns-svc
      5. spec:
      6. ports:
      7. ...
      8. type: ClusterIP
      9. selector:
      10. name: egress-dns-proxy

      For example:

      1. apiVersion: v1
      2. kind: Service
      3. metadata:
      4. name: egress-dns-svc
      5. spec:
      6. ports:
      7. - name: con1
      8. protocol: TCP
      9. port: 80
      10. targetPort: 80
      11. - name: con2
      12. protocol: TCP
      13. port: 100
      14. targetPort: 100
      15. type: ClusterIP
      16. selector:
      17. name: egress-dns-proxy
    2. To create the service, enter the following command:

      1. $ oc create -f egress-router-service.yaml

      Pods can now connect to this service. The connections are proxied to the corresponding ports on the external server, using the reserved egress IP address.

Additional resources