AZURE OPENSHIFT DNSConfig and Ingress/Egress NetworkPolicy?

Question

Guys I am very new to openshift , I have an Azure Redhat Openshift Cluster deployed and have access to web console as administrator.

I have deployed a sample application inside Openshift cluster using Builtin S2I mode by directly providing the github url and the app is deployed succesfully.

Now my requirement is to implement DNSConfig and Ingress/Egress NetworkPolicy.

I am very new and couldn't understand what exactly is DNSConfig and Ingress/Egress NetworkPolicy .

can someone please explain me what are those and how can we implement those to my demo application that is deployed in that Azure openshift console.

Please help.

Thanks in Advance.

Answer 1

Your best bet would be to get familiar with the official docs.

Pod's DNS Config:

Pod's DNS Config allows users more control on the DNS settings for a Pod.

The dnsConfig field is optional and it can work with any dnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified.

Below are the properties a user can specify in the dnsConfig field:

• nameservers: a list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified. When the Pod's dnsPolicy is set to "None", the list must contain at least one IP address, otherwise this property is optional. The servers listed will be combined to the base nameservers generated from the specified DNS policy with duplicate addresses removed.

• searches: a list of DNS search domains for hostname lookup in the Pod. This property is optional. When specified, the provided list will be merged into the base search domain names generated from the chosen DNS policy. Duplicate domain names are removed. Kubernetes allows for at most 6 search domains.

• options: an optional list of objects where each object may have a name property (required) and a value property (optional). The contents in this property will be merged to the options generated from the specified DNS policy. Duplicate entries are removed.

Network Policies:

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network "entities" (we use the word "entity" here to avoid overloading the more common terms such as "endpoints" and "services", which have specific Kubernetes connotations) over the network.

The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:

1. Other pods that are allowed (exception: a pod cannot block access to itself)

2. Namespaces that are allowed

3. IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node)

When defining a pod- or namespace- based NetworkPolicy, you use a selector to specify what traffic is allowed to and from the Pod(s) that match the selector.

Meanwhile, when IP based NetworkPolicies are created, we define policies based on IP blocks (CIDR ranges).

These topics are being explained in more detail in the linked documentations. You can also find some examples that will help you implement it in your use case.