OpenShift Project Request Template - EgressNetworkPolicy

openshift-project-request-template.md

OpenShift Project Request Template

Automatically create an EgressNetworkPolicy (note this is for OpenShiftSDN, for OVNKubernetes use EgressFirewall)

Before

oc new-project before
oc get EgressNetworkPolicy  # notice nothing is returned

Configure

oc adm create-bootstrap-project-template -o yaml > template.yaml. # edit template.yaml with below

Make sure the following is in the template.yaml

- apiVersion: network.openshift.io/v1
  kind: EgressNetworkPolicy
  metadata:
    name: ${PROJECT_NAME}-github-block
    namespace: ${PROJECT_NAME}
  spec:
    egress:
    - type: Deny
      to:
        dnsName: www.github.com

oc create -f template.yaml -n openshift-config
# verify: oc edit templates/project-request -n openshift-config

oc edit project.config.openshift.io/cluster

And it should look like:

apiVersion: config.openshift.io/v1
kind: Project
metadata:
  ...
spec:
  projectRequestTemplate:
    name: project-request

Now wait for all apiserver pods in the openshift-apiserver project to terminate and be recreated.

After

oc new-project after
oc get EgressNetworkPolicy. # validate it is created