Deploying an egress router pod in DNS proxy mode
As a cluster administrator, you can deploy an egress router pod configured to proxy traffic to specified DNS names and IP addresses.
Egress router pod specification for DNS mode
Define the configuration for an egress router pod in the Pod
object. The following YAML describes the fields for the configuration of an egress router pod in DNS mode:
apiVersion: v1
kind: Pod
metadata:
name: egress-1
labels:
name: egress-1
annotations:
pod.network.openshift.io/assign-macvlan: "true" (1)
spec:
initContainers:
- name: egress-router
image: openshift/origin-egress-router
securityContext:
privileged: true
env:
- name: EGRESS_SOURCE (2)
value: <egress-router>
- name: EGRESS_GATEWAY (3)
value: <egress-gateway>
- name: EGRESS_ROUTER_MODE
value: dns-proxy
containers:
- name: egress-router-pod
image: openshift/origin-egress-dns-proxy
securityContext:
privileged: true
env:
- name: EGRESS_DNS_PROXY_DESTINATION (4)
value: |-
...
- name: EGRESS_DNS_PROXY_DEBUG (5)
value: "1"
...
1 | The annotation tells OKD to create a macvlan network interface on the primary network interface controller (NIC) and move that macvlan interface into the pod’s network namespace. You must include the quotation marks around the “true” value. To have OKD create the macvlan interface on a different NIC interface, set the annotation value to the name of that interface. For example, eth1 . |
2 | IP address from the physical network that the node is on that is reserved for use by the egress router pod. Optional: You can include the subnet length, the /24 suffix, so that a proper route to the local subnet is set. If you do not specify a subnet length, then the egress router can access only the host specified with the EGRESS_GATEWAY variable and no other hosts on the subnet. |
3 | Same value as the default gateway used by the node. |
4 | Specify a list of one or more proxy destinations. |
5 | Optional: Specify to output the DNS proxy log output to stdout . |
Egress destination configuration format
When the router is deployed in DNS proxy mode, you specify a list of port and destination mappings. A destination may be either an IP address or a DNS name.
An egress router pod supports the following formats for specifying port and destination mappings:
Port and remote address
You can specify a source port and a destination host by using the two field format: <port> <remote_address>
.
The host can be an IP address or a DNS name. If a DNS name is provided, DNS resolution occurs at runtime. For a given host, the proxy connects to the specified source port on the destination host when connecting to the destination host IP address.
Port and remote address pair example
80 172.16.12.11
100 example.com
Port, remote address, and remote port
You can specify a source port, a destination host, and a destination port by using the three field format: <port> <remote_address> <remote_port>
.
The three field format behaves identically to the two field version, with the exception that the destination port can be different than the source port.
Port, remote address, and remote port example
8080 192.168.60.252 80
8443 web.example.com 443
Deploying an egress router pod in DNS proxy mode
In DNS proxy mode, an egress router pod acts as a DNS proxy for TCP-based services from its own IP address to one or more destination IP addresses.
Prerequisites
Install the OpenShift CLI (
oc
).Log in as a user with
cluster-admin
privileges.
Procedure
Create an egress router pod.
Create a service for the egress router pod:
Create a file named
egress-router-service.yaml
that contains the following YAML. Setspec.ports
to the list of ports that you defined previously for theEGRESS_DNS_PROXY_DESTINATION
environment variable.apiVersion: v1
kind: Service
metadata:
name: egress-dns-svc
spec:
ports:
...
type: ClusterIP
selector:
name: egress-dns-proxy
For example:
apiVersion: v1
kind: Service
metadata:
name: egress-dns-svc
spec:
ports:
- name: con1
protocol: TCP
port: 80
targetPort: 80
- name: con2
protocol: TCP
port: 100
targetPort: 100
type: ClusterIP
selector:
name: egress-dns-proxy
To create the service, enter the following command:
$ oc create -f egress-router-service.yaml
Pods can now connect to this service. The connections are proxied to the corresponding ports on the external server, using the reserved egress IP address.