Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.22
Component/s: Documentation / CORENET
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

We should clarify to users that OCP itself does not set any
NetworkPolicy for egress routers, meaning that by default, an egress
router can be accessed by pods in any namespace. If the user wants to
restrict who can access the egress router, they should create a
NetworkPolicy in the same namespace as the egress router, like so:

  kind: NetworkPolicy
  apiVersion: networking.k8s.io/v1
  metadata:
    name: egress-router-policy
  spec:
    podSelector:
      matchLabels:
        app: egress-router-cni
    ingress:
      # Allow pods in namespace "foo" to access port 8080
      - from:
          - namespaceSelector:
              matchLabels:
                kubernetes.io/metadata.name: foo
        ports:
          - port: 8080
      # Allow all pods to access port 9090
      - ports:
          - port: 9090
      # Nothing else is allowed

Version-Release number of selected component (if applicable):

All OCP versions

Assignee:: OCP DocsBot

Reporter:: Dan Winship

QA Contact:: Zhanqi Zhao

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2026/01/27 3:33 PM

Updated:: 2026/01/27 3:34 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates