Resources

OpenShift Day 3 Guide

Networking, Storage, Security, Observability, CI/CD, and Cluster Upgrades.

Networking

OpenShift ships a full software-defined networking stack. Day 3 networking means Routes, Services, Ingress, NetworkPolicies, and egress controls.

Services

A Service is a stable virtual IP that load-balances across Pod replicas. Choose the right type for your access pattern.

ClusterIP

Accessible only inside the cluster. Default type for internal services.

NodePort

Opens a port on every node (30000–32767). Useful for dev/test access without an LB.

LoadBalancer

Provisions a cloud load balancer. Use on GCP/AWS/Azure for production ingress.

ExternalName

Maps a service name to an external DNS CNAME. Useful for off-cluster dependencies.

apiVersion: v1
kind: Service
metadata:
  name: api-server
  namespace: mission-ops
spec:
  selector:
    app: api-server
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8443
  type: ClusterIP

Routes (OpenShift-native Ingress)

Routes are OpenShift's native way to expose services externally through the HAProxy-based router. More feature-rich than standard Ingress objects.

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: api-server
  namespace: mission-ops
spec:
  host: api.example.com
  to:
    kind: Service
    name: api-server
    weight: 100
  port:
    targetPort: http
  tls:
    termination: edge               # edge | passthrough | reencrypt
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None

edge

TLS terminated at the router. Traffic is unencrypted between router and pod.

passthrough

TLS passes through untouched. Pod handles TLS termination end-to-end.

reencrypt

TLS terminated at router, then re-encrypted for pod. Most secure option.

NetworkPolicy

NetworkPolicies are the firewall rules of your cluster. By default all Pods can talk to all other Pods — a deny-all baseline plus explicit allows is best practice for production.

# Step 1: deny all ingress in the namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: mission-ops
spec:
  podSelector: {}
  policyTypes:
  - Ingress
---
# Step 2: allow ingress only from the ingress controller
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-router
  namespace: mission-ops
spec:
  podSelector:
    matchLabels:
      app: api-server
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
---
# Step 3: allow inter-service traffic within the namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: mission-ops
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}

Egress Controls

Control outbound traffic with EgressNetworkPolicy or EgressFirewall (OVN-Kubernetes). Use to restrict which external IPs namespaces can reach.

apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
  name: egress-rules
  namespace: mission-ops
spec:
  egress:
  - type: Allow
    to:
      dnsName: api.external-service.com
  - type: Allow
    to:
      cidrSelector: 10.0.0.0/8      # Allow RFC1918 (on-prem)
  - type: Deny
    to:
      cidrSelector: 0.0.0.0/0       # Block everything else

OVN-Kubernetes vs OpenShift SDN

OpenShift 4.12+ defaults to OVN-Kubernetes. It supports EgressFirewall, EgressIP, and secondary networks. OpenShift SDN (the legacy CNI) uses EgressNetworkPolicy. If you're on SDN consider migrating — SDN is deprecated in OCP 4.17+.

This guide reflects OpenShift 4.x / Kubernetes 1.28+. YAML examples are illustrative — adjust namespaces, images, and resource values for your environment.