OpenShift projects may have EgressFirewalls configured. These are specific features that apply to OpenShift projects to restrict specific egress traffic from these projects.
TO BE DONE: Need to check if these EgressNetworkPolicy can be converted to K8S NetworkPolicy and update this section accordingly.
If you are looking at EgressNetworkPolicy for an individual OpenShift Project, see this section.
To list all egress network policies configured on the cluster, if any
oc get egressnetworkpolicies --all-namespaces
These have to be translated manually to Kubernetes NetworkPolicies. To egress policies that apply to individual projects,
oc get egressnetworkpolicy default -n test-rq1 -o yaml \
| yq e 'del(.metadata.creationTimestamp)' - \
| yq e 'del(.metadata.resourceVersion)' - \
| yq e 'del(.metadata.selfLink)' - \
| yq e 'del(.metadata.uid)' - \
| yq e 'del(.status)' - \
| yq e 'del(.metadata.managedFields)' - \
| yq e 'del(.metadata.annotations)' - \
| yq e 'del(.metadata.manager)' - \
| yq e 'del(.metadata.operation)' - \
| yq e 'del(.metadata.generation)' - \
| yq e 'del(.metadata.time)' -
Here they will be exported as is, but not to be applied to the target cluster. The egress network policies will be saved into clusterconfigs/to-review/egress-network-policies/namespaces/NAMESPACE folder.
for ns in $(ls clusterconfigs/namespaces); do
for i in $(oc get egressnetworkpolicies -n $ns -o jsonpath='{.items[*].metadata.name}'); do
echo "Exporting Egress Network Policies for namespace:" $ns;
mkdir -p clusterconfigs/to-review/egress-network-policies/namespaces/$ns
oc get egressnetworkpolicy $i -n $ns -o yaml \
| yq e 'del(.metadata.creationTimestamp)' - \
| yq e 'del(.metadata.resourceVersion)' - \
| yq e 'del(.metadata.selfLink)' - \
| yq e 'del(.metadata.uid)' - \
| yq e 'del(.status)' - \
| yq e 'del(.metadata.managedFields)' - \
| yq e 'del(.metadata.annotations)' - \
| yq e 'del(.metadata.manager)' - \
| yq e 'del(.metadata.operation)' - \
| yq e 'del(.metadata.generation)' - \
| yq e 'del(.metadata.time)' - > clusterconfigs/to-review/egress-network-policies/namespaces/$ns/$i-egress-network-policy.yaml
done;
done