OpenShift Egress IP Explained¶
Introduction¶
OpenShift networking troubleshooting starts with pod placement, service endpoints, DNS, and NetworkPolicy. OVN-Kubernetes also makes namespace and pod labels important for policy-driven traffic.
When You Need This¶
Use this when traffic does not reach an OpenShift application, TLS behavior is unclear, DNS fails inside the cluster, or NetworkPolicy changes affect pod communication.
Key Objects and Commands¶
oc get networkpolicy -n app
oc describe networkpolicy allow-web-to-api -n app
oc get pods -n app --show-labels
oc rsh deploy/web -n app curl -sS http://api:8080/health
Example output:
NAME POD-SELECTOR AGE
allow-web-to-api app=api 12m
OK
Step-by-Step Configuration¶
- Confirm the project and object names.
- Check route, service, endpoint, pod, and policy status.
- Apply only the network change that matches the failed layer.
Example YAML¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-web-to-api
spec:
podSelector:
matchLabels:
app: api
ingress:
- from:
- podSelector:
matchLabels:
app: web
ports:
- protocol: TCP
port: 8080
Verification¶
oc get networkpolicy -n app
oc get endpoints api -n app
oc rsh deploy/web -n app -- curl -v http://api:8080/health
Troubleshooting¶
Follow the path from client to route, route to service, service to endpoint, endpoint to pod, and pod to container port.
Common Mistakes¶
- Creating a default deny policy without allow rules.
- Matching namespace labels that do not exist.
- Testing from a pod that has different labels than production traffic.
Quick Checklist¶
- Confirm the active project.
- Inspect the exact object named in the error.
- Read recent events.
- Apply one focused fix.
- Verify status after the change.
Related Guides¶
Summary¶
OpenShift Egress IP Explained is easier to troubleshoot when each network layer is verified separately instead of treating every failure as a router problem.