Update networking/egressip

Author: rbo

content/README.md

@@ -24,6 +24,7 @@ and benefit from the expertise shared in this repository.
 
 |Date|Headline|
 |---|---|
+|2026-02-12|[Update networking/egressip](networking/egress-ip/)|
 |2026-02-06|[Added domain.xml adjustment example via sidecar hook](kubevirt/adjust-domain-xml/)|
 |2026-02-06|[Updated IBM Fusion Access for SAN with air-gapped/disconnected details](storage/ibm-fusion-access-san/)|
 |2026-01-29|[Added how to setup a rhel 10 router](my-lab/rhel-router/)|

content/networking/egress-ip/egressip-screenshot.png

@@ -1,71 +1,212 @@
 ---
 title: Egress IP
-linktitle:  Egress IP
-description: Egress IP demo
-tags: ['Egress','v4.19']
+linktitle: Egress IP
+description: Configure egress IP addresses so traffic from selected namespaces leaves the cluster with a fixed, predictable source IP.
+tags: ['Egress','v4.20']
 ---
-# Some information
+# Egress IP
 
-Official documentation: <https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/ovn-kubernetes_network_plugin/configuring-egress-ips-ovn>
+This example shows how to configure **egress IP addresses** on OpenShift so that traffic from selected namespaces uses a fixed source IP. That makes it easy to whitelist cluster workloads in firewalls or identify traffic in logs (e.g., from a specific app or team).
 
-Tested with:
+**Official documentation:** [Chapter 9. Configuring an egress IP address](https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/ovn-kubernetes_network_plugin/configuring-egress-ips-ovn)
 
-|Component|Version|
-|---|---|
-|OpenShift|v4.19.14|
+**Tested with:**
 
-## Prepare cluster
+| Component | Version |
+|-----------|---------|
+| OpenShift | v4.20.1 |
+
+## Overview
+
+![](overview.drawio)
+
+Two OpenShift clusters are used:
+
+### Cluster: ocp6
+
+**Source cluster** — here we configure egress IPs and run a pod that sends HTTP requests (via `curl`) to the web server on **ocp7**.
+
+=== "Worker Nodes"
+
+    | NAME            | IP           |
+    |-----------------|--------------|
+    | ocp6-worker-0   | 10.32.105.95 |
+    | ocp6-worker-1   | 10.32.105.96 |
+    | ocp6-worker-2   | 10.32.105.97 |
+
+=== "oc output"
+
+    ```shell
+    % oc get nodes -l node-role.kubernetes.io/worker -o custom-columns='NAME:.metadata.name,IP:.status.addresses[0].address'
+    NAME            IP
+    ocp6-worker-0   10.32.105.95
+    ocp6-worker-1   10.32.105.96
+    ocp6-worker-2   10.32.105.97
+    ```
+
+### Cluster: ocp7
+
+**Target cluster** — hosts a simple web server so we can see the **sender IP** in the server logs and verify egress IP behavior.
+
+=== "Worker Nodes"
+
+    | NAME            | IP            |
+    |-----------------|---------------|
+    | ocp7-worker-0   | 10.32.105.103 |
+    | ocp7-worker-1   | 10.32.105.104 |
+    | ocp7-worker-2   | 10.32.105.105 |
+
+=== "oc output"
+
+    ```shell
+    % oc get nodes -l node-role.kubernetes.io/worker -o custom-columns='NAME:.metadata.name,IP:.status.addresses[0].address'
+    NAME            IP
+    ocp7-worker-0   10.32.105.103
+    ocp7-worker-1   10.32.105.104
+    ocp7-worker-2   10.32.105.105
+    ```
+
+## Deploy simple-nginx on ocp7
+
+Deploy the target web server on **ocp7** (target cluster):
 
 ```shell
-% oc get nodes -l node-role.kubernetes.io/worker
-NAME                       STATUS   ROLES    AGE   VERSION
-ocp1-worker-0              Ready    worker   79d   v1.32.5
-ocp1-worker-1              Ready    worker   79d   v1.32.5
-ocp1-worker-2              Ready    worker   79d   v1.32.5
-
-% oc label node/ocp1-worker-0  k8s.ovn.org/egress-assignable=""
-node/ocp1-worker-0 labeled
-% oc label node/ocp1-worker-1  k8s.ovn.org/egress-assignable=""
-node/ocp1-worker-1 labeled
-% oc label node/ocp1-worker-2  k8s.ovn.org/egress-assignable=""
-node/ocp1-worker-2 labeled
-
-oc apply -f - <<EOF
-heredoc> apiVersion: k8s.ovn.org/v1
-kind: EgressIP
-metadata:
-  name: egress-coe
-spec:
-  egressIPs:
-  - 10.32.105.72
-  - 10.32.105.73
-  namespaceSelector:
-    matchLabels:
-      egress: coe
-heredoc> EOF
-egressip.k8s.ovn.org/egress-coe created
+oc new-project egress-target
+oc apply -k 'git@github.com:openshift-examples/kustomize/components/simple-nginx?ref=2026-02-12'
 ```
 
-## Deployment
+Get the route hostname:
 
 ```shell
-oc new-project rbohne-egress
-oc deploy -k simple-nginx...
-oc rsh deployment/simple-nginx
-curl $WEBSERVER
-
-oc label namespace/rbohne-egress egress=coe
+% oc get route simple-nginx -o jsonpath='{.spec.host}'
+simple-nginx-egress-target.apps.ocp7.stormshift.coe.muc.redhat.com
 ```
 
-```log
-10.32.96.44 - - [31/Aug/2025:11:54:00 +0200] "GET / HTTP/1.1" 301 247 "-" "curl/7.76.1"
-10.32.105.72 - - [31/Aug/2025:11:56:31 +0200] "GET / HTTP/1.1" 301 247 "-" "curl/7.76.1"
+Call the web server from your machine (or any client):
+
+```shell
+% curl -I https://simple-nginx-egress-target.apps.ocp7.stormshift.coe.muc.redhat.com
+
+HTTP/1.1 200 OK
+server: nginx/1.26.3
+date: Thu, 12 Feb 2026 15:19:17 GMT
+content-type: text/html
+content-length: 45
+last-modified: Thu, 12 Feb 2026 15:17:31 GMT
+etag: "698def0b-2d"
+accept-ranges: bytes
+set-cookie: 5386f97f58871214bc079b41bd88c1cd=43357b3d3312239cb10b42b1c3d17138; path=/; HttpOnly; Secure; SameSite=None
+cache-control: private
 ```
 
-## Check IP on the node
+Check the pod logs to see the client IP that nginx recorded:
 
 ```shell
-sh-5.1# ip -br a show dev br-ex
-br-ex            UNKNOWN        10.32.105.69/20 169.254.0.2/17 10.32.105.72/32
-sh-5.1#
+% oc logs -f deployment/simple-nginx | grep curl
+10.130.0.2 - - [12/Feb/2026:15:26:45 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/8.12.1" "10.32.96.62"
 ```
+
+- `10.130.0.2` — cluster-internal IP of the ingress/router pod
+- `10.32.96.62` — **real client IP** (your machine or the pod making the request)
+
+## Configure egress IP on ocp6
+
+1. **Label worker nodes** so they can be assigned egress IPs:
+
+    ```shell
+    % oc label node -l node-role.kubernetes.io/worker k8s.ovn.org/egress-assignable=""
+    node/ocp6-worker-0 labeled
+    node/ocp6-worker-1 labeled
+    node/ocp6-worker-2 labeled
+    ```
+
+2. **Create an `EgressIP` object** with the IPs to use and which namespaces (via label) will use them. Use IPs that are valid on your cluster’s egress network and not in use by nodes or other services:
+
+    ```shell
+    oc apply -f - <<EOF
+    apiVersion: k8s.ovn.org/v1
+    kind: EgressIP
+    metadata:
+      name: egress-coe
+    spec:
+      egressIPs:
+        - 10.32.105.72
+        - 10.32.105.73
+      namespaceSelector:
+        matchLabels:
+          egress: coe
+    EOF
+    ```
+
+3. **Deploy a curl pod** in a new project — first **without** the egress label so traffic uses the node IP:
+
+    ```shell
+    oc new-project curl
+    oc apply -k 'git@github.com:openshift-examples/kustomize/components/rhel-support-tools?rev=2026-02-12'
+    ```
+
+    From inside the pod, run `curl` against the ocp7 route. The pod is on `ocp6-worker-2` (node IP `10.32.105.97`):
+
+    ```shell
+    % oc rsh deployment.apps/rhel-support-tools
+    sh-5.1$ echo $NODE_NAME $NODE_IP
+    ocp6-worker-2 10.32.105.97
+    sh-5.1$ curl -Ik https://simple-nginx-egress-target.apps.ocp7.stormshift.coe.muc.redhat.com
+    HTTP/1.1 200 OK
+    server: nginx/1.26.3
+    date: Thu, 12 Feb 2026 15:42:30 GMT
+    content-type: text/html
+    content-length: 45
+    last-modified: Thu, 12 Feb 2026 15:31:00 GMT
+    etag: "698df234-2d"
+    accept-ranges: bytes
+    set-cookie: 5386f97f58871214bc079b41bd88c1cd=7fbe3d3d6235cc5431656b0f57361872; path=/; HttpOnly; Secure; SameSite=None
+    cache-control: private
+
+    sh-5.1$
+    ```
+
+    On **ocp7**, check the `simple-nginx` logs. The client IP should be the **node IP** (`10.32.105.97`), because the namespace does not use egress IP yet:
+
+    ```shell
+    10.130.0.2 - - [12/Feb/2026:15:42:30 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.76.1" "10.32.105.97"
+    ```
+
+    ![](nodeip-screenshot.png)
+
+4. **Enable egress IP** for the `curl` namespace by adding the label that matches the `EgressIP` `namespaceSelector`:
+
+    ```shell
+    oc label namespace/curl egress=coe
+    ```
+
+    Run `curl` again from the same pod (still on the same node):
+
+    ```shell
+    % oc rsh deployment.apps/rhel-support-tools
+    sh-5.1$ echo $NODE_NAME $NODE_IP
+    ocp6-worker-2 10.32.105.97
+    sh-5.1$ curl -Ik https://simple-nginx-egress-target.apps.ocp7.stormshift.coe.muc.redhat.com
+    HTTP/1.1 200 OK
+    server: nginx/1.26.3
+    date: Thu, 12 Feb 2026 15:48:38 GMT
+    content-type: text/html
+    content-length: 45
+    last-modified: Thu, 12 Feb 2026 15:31:00 GMT
+    etag: "698df234-2d"
+    accept-ranges: bytes
+    set-cookie: 5386f97f58871214bc079b41bd88c1cd=7fbe3d3d6235cc5431656b0f57361872; path=/; HttpOnly; Secure; SameSite=None
+    cache-control: private
+
+    sh-5.1$
+    ```
+
+    On **ocp7**, check the `simple-nginx` logs again. The client IP should now be **10.32.105.72** — one of the egress IPs — instead of the node IP:
+
+    ```shell
+    10.130.0.2 - - [12/Feb/2026:15:48:38 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.76.1" "10.32.105.72"
+    ```
+
+    **Source IP is now the egress IP.**
+
+    ![](egressip-screenshot.png)

content/networking/egress-ip/index.md

@@ -0,0 +1,28 @@
+<mxfile host="Electron" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/29.3.6 Chrome/140.0.7339.249 Electron/38.8.0 Safari/537.36" version="29.3.6">
+  <diagram name="Page-1" id="CfVRJ24CIUdbo2xG4-Xr">
+    <mxGraphModel dx="1823" dy="486" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="EBQ1oc4t_hqgZCyZlvfD-4" parent="1" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#f5f5f5;fontColor=#333333;strokeColor=#666666;align=center;verticalAlign=top;fontStyle=1;fontSize=15;" value="OpenShift Cluster - ocp6" vertex="1">
+          <mxGeometry height="160" width="270" x="40" y="40" as="geometry" />
+        </mxCell>
+        <mxCell id="EBQ1oc4t_hqgZCyZlvfD-5" parent="1" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#f5f5f5;fontColor=#333333;strokeColor=#666666;align=center;verticalAlign=top;fontStyle=1;fontSize=15;" value="OpenShift Cluster - ocp7" vertex="1">
+          <mxGeometry height="160" width="270" x="480" y="40" as="geometry" />
+        </mxCell>
+        <mxCell id="EBQ1oc4t_hqgZCyZlvfD-6" parent="1" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" value="&lt;b&gt;simple-http-server&lt;/b&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div style=&quot;&quot;&gt;Web server to determine the sender&#39;s IP address.&lt;/div&gt;" vertex="1">
+          <mxGeometry height="70" width="230" x="500" y="90" as="geometry" />
+        </mxCell>
+        <mxCell id="EBQ1oc4t_hqgZCyZlvfD-7" parent="1" style="rounded=0;whiteSpace=wrap;html=1;verticalAlign=top;" value="Configured egress IPs&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div&gt;CURL as Client to connect to simple-http-server running on ocp7&lt;br&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;/div&gt;" vertex="1">
+          <mxGeometry height="90" width="240" x="60" y="80" as="geometry" />
+        </mxCell>
+        <mxCell id="EBQ1oc4t_hqgZCyZlvfD-8" edge="1" parent="1" source="EBQ1oc4t_hqgZCyZlvfD-7" style="endArrow=classic;html=1;rounded=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;strokeWidth=3;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" target="EBQ1oc4t_hqgZCyZlvfD-6" value="">
+          <mxGeometry height="50" relative="1" width="50" as="geometry">
+            <mxPoint x="560" y="220" as="sourcePoint" />
+            <mxPoint x="410" y="250" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>