document OPENSHIFT-ADMIN-OUTPUT-RULES #4490
Conversation
|
isn't 3.6 still in the future and "backporting" would be 3.5? |
|
@danwinship -- right. I just wanted to make sure the docs end up in the correct release for where the feature is going. 3.6 has not been released and is what we are working on at the moment. |
admin_guide/managing_networking.adoc
Outdated
| automatically, but it does provide a place where such rules can be | ||
| added manually by the administrator. Each node, on startup, will | ||
| create an empty chain called `OPENSHIFT-ADMIN-OUTPUT-RULES` in the | ||
| `filter` table (assuming that that chain doesn't already exist). Any |
| @@ -32,6 +32,13 @@ not impact the operation of {product-title} and the Docker service. Also, change | |||
| will often need to be made on all nodes in the cluster. Use caution, as iptables | |||
| is not designed to have multiple concurrent users and it is very easy to break | |||
| {product-title} and Docker networking. | |||
|
|
|||
| {product-title} provides one chain which is specifically intended for | |||
There was a problem hiding this comment.
Adding a comma implies (to me) that openshift only provides one chain (and that chain is intended for administrators to use). But it creates many chains, it's just that only one of them has this purposes.
There was a problem hiding this comment.
@danwinship @ahardin-rh I'd agree with Ashley. Commas are really only for separating clauses. I'd suggest "OpenShift provides a number of chains, one of which is specifically intended for..."
I was asked to have a look at this PR and see if it needed a followup and this is the only thought I had. I'll do that.
admin_guide/managing_networking.adoc
Outdated
| @@ -435,6 +440,44 @@ $ oc create -f <replication_controller>.json | |||
| oc describe rc <replication_controller> | |||
| ---- | |||
|
|
|||
| [[admin-guide-limit-pod-access-iptables]] | |||
| === Using iptables rules to Limit Access to External Resources | |||
admin_guide/managing_networking.adoc
Outdated
| === Using iptables rules to Limit Access to External Resources | ||
|
|
||
| Some cluster administrators may want to perform actions on outgoing | ||
| traffic that don't fit within the model of EgressNetworkPolicy or the |
admin_guide/managing_networking.adoc
Outdated
| . The rules are not applied to traffic that exits the cluster via an | ||
| egress-router, and they run after EgressNetworkPolicies are applied | ||
| (and so will not see traffic that is denied by an | ||
| EgressNetworkPolicy). |
There was a problem hiding this comment.
`EgressNetworkPolicy`
admin_guide/managing_networking.adoc
Outdated
| automatically. | ||
|
|
||
| . The rules are not applied to traffic that exits the cluster via an | ||
| egress-router, and they run after EgressNetworkPolicies are applied |
danwinship
force-pushed
the
admin-iptables-filtering
branch
from
6c20657 to
63b4d3b
Compare
|
updated with all the other suggested changes |
|
github thinks this is still running in travis, but travis says it passed... |
Document the new iptables chain that exists for admin special purposes.
openshift/origin#14221 / https://trello.com/c/dnZHuI5R
@openshift/networking