Configure connection of pods to external services

Configuration guide for Openshift pods to access external services, special case for different namespace services.

Author(s): Adam Bulla | Created: 22 February 2021 | Last modified: 22 February 2021

Tested on: Red Hat OpenShift Platform v 4.6.0+

Table of contents

Configure connection of pods to external services
Configure access of pods to "internet"
Adding the hostname to the DNS service

Configure connection of pods to external services↑

This need arose when during a lab environment, we had a CP4S env configured in it's own environment, and we wanted to integrate with it (specifically with the Resilient part of CP4S) from a different service, created in a different project.

This meant that since routing to the target REST API is only possible through the exact hostname, the following prerequisites had to be overcome for it to work:

Connection has to be available between the external service pod, and the service providing the REST API
That exact host's hostname resolution must work inside the external service's pod

Note: this configuration is specific for this use-case. Setting up connection between pods of different projects, other use cases, etc, possibly could be done easier, and with less relaxed settings. However, here we needed specific hostname based connection, so this method has been used.

Configure access of pods to "internet"↑

Since the Resilient REST API only responds to the specific hostname given to it, specified by the Route configured for it, the connection had to go through the exposed Route, with all the necessary steps any other regular connection would take.

The easiest way to accomplish this was to enable the pod access to the outer world, by setting an Egress Network Policy. With this policy, specific dns names and IP sections can be set up, to allow pods in the project connection to those external addresses.

Further information about the Egress Network Policy can be found at the link.

The used configuration for this Egress Network policy can be found in the following YAML, domain name redacted.

EgressNetworkPolicy:

apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
  name: jira-enable-outbound-connection-to-internet
  namespace: atlassian-jira
spec:
  egress:
  - type: Allow
    to:
      dnsName: cases-rest.domain.tld
  - type: Allow
    to:
      cidrSelector: 10.109.0.0/16

Note: It is possible that filtering of the egress policy could be limited to selected pods, or this feature might become avaialble at a later version, but as time of writing, there have been no inforation readily available about this feature, so keep in mind that this policy does enable every pod inside the project to access all the listed addresses.

Adding the hostname to the DNS service↑

The default DNS service that is available to every pod in a project is configurable, and DNS forwarding can be configured for specific domains.

This is what is used in this guide, by adding the already configured DNS server of OCP and CP4S to the target project, as the DNS forward resolver for the necessary Resilient hostname.

The exact configuration of the DNS forwarding can be found in this article: Using DNS forwarding

The configuration that has to be added with the oc edit dns.operator/default command is a spec block, that defines the forward server, and the zones. Example below:

spec:
  servers:
  - forwardPlugin:
      upstreams:
      - 10.109.66.53
    name: cp4s-server
    zones:
    - domain.tld
    - cases-rest.domain.tld

After adding this configuration, and also making sure the DNS server indeed resolves the names correctly, the pod should be able to connect to Resilient.