0
# Network Operations
1
2
This document covers OpenShift networking operations, including routes, network policies, cluster networking, and network-related resources.
3
4
## Core Imports
5
6
```java { .api }
7
import io.fabric8.openshift.client.OpenShiftClient;
8
import io.fabric8.openshift.api.model.Route;
9
import io.fabric8.openshift.api.model.RouteList;
10
import io.fabric8.openshift.api.model.NetNamespace;
11
import io.fabric8.openshift.api.model.NetNamespaceList;
12
import io.fabric8.openshift.api.model.ClusterNetwork;
13
import io.fabric8.openshift.api.model.ClusterNetworkList;
14
import io.fabric8.openshift.api.model.EgressNetworkPolicy;
15
import io.fabric8.openshift.api.model.EgressNetworkPolicyList;
16
import io.fabric8.openshift.api.model.HostSubnet;
17
import io.fabric8.openshift.api.model.HostSubnetList;
18
import io.fabric8.openshift.api.model.miscellaneous.cncf.cni.v1.NetworkAttachmentDefinition;
19
import io.fabric8.openshift.api.model.miscellaneous.cncf.cni.v1.NetworkAttachmentDefinitionList;
20
import io.fabric8.kubernetes.client.dsl.Resource;
21
import io.fabric8.kubernetes.client.dsl.MixedOperation;
22
import io.fabric8.kubernetes.client.dsl.NonNamespaceOperation;
23
```
24
25
## Route Operations
26
27
### Basic Route Operations
28
29
```java { .api }
30
// List all routes in a namespace
31
RouteList routes = client.routes()
32
.inNamespace("my-project")
33
.list();
34
35
// Get a specific route
36
Route route = client.routes()
37
.inNamespace("my-project")
38
.withName("my-app")
39
.get();
40
41
// Create a new route
42
Route newRoute = new RouteBuilder()
43
.withNewMetadata()
44
.withName("my-new-app")
45
.withNamespace("my-project")
46
.addToLabels("app", "my-new-app")
47
.endMetadata()
48
.withNewSpec()
49
.withHost("my-app.example.com")
50
.withNewTo()
51
.withKind("Service")
52
.withName("my-app-service")
53
.withWeight(100)
54
.endTo()
55
.withNewPort()
56
.withNewTargetPort(8080)
57
.endPort()
58
.endSpec()
59
.build();
60
61
Route created = client.routes()
62
.inNamespace("my-project")
63
.create(newRoute);
64
```
65
66
### Secure Routes (HTTPS)
67
68
```java { .api }
69
// Create a route with edge TLS termination
70
Route secureRoute = new RouteBuilder()
71
.withNewMetadata()
72
.withName("secure-app")
73
.withNamespace("my-project")
74
.endMetadata()
75
.withNewSpec()
76
.withHost("secure-app.example.com")
77
.withNewTo()
78
.withKind("Service")
79
.withName("my-app-service")
80
.endTo()
81
.withNewTls()
82
.withTermination("edge")
83
.withInsecureEdgeTerminationPolicy("Redirect")
84
.endTls()
85
.endSpec()
86
.build();
87
88
// Create route with passthrough TLS
89
Route passthroughRoute = new RouteBuilder()
90
.withNewMetadata()
91
.withName("passthrough-app")
92
.withNamespace("my-project")
93
.endMetadata()
94
.withNewSpec()
95
.withHost("passthrough-app.example.com")
96
.withNewTo()
97
.withKind("Service")
98
.withName("secure-service")
99
.endTo()
100
.withNewTls()
101
.withTermination("passthrough")
102
.endTls()
103
.endSpec()
104
.build();
105
106
// Create route with re-encrypt TLS
107
Route reencryptRoute = new RouteBuilder()
108
.withNewMetadata()
109
.withName("reencrypt-app")
110
.withNamespace("my-project")
111
.endMetadata()
112
.withNewSpec()
113
.withHost("reencrypt-app.example.com")
114
.withNewTo()
115
.withKind("Service")
116
.withName("backend-service")
117
.endTo()
118
.withNewTls()
119
.withTermination("reencrypt")
120
.withDestinationCACertificate("-----BEGIN CERTIFICATE-----\n...")
121
.endTls()
122
.endSpec()
123
.build();
124
```
125
126
### Route with Custom Certificates
127
128
```java { .api }
129
// Create route with custom certificate
130
Route customCertRoute = new RouteBuilder()
131
.withNewMetadata()
132
.withName("custom-cert-app")
133
.withNamespace("my-project")
134
.endMetadata()
135
.withNewSpec()
136
.withHost("custom-cert-app.example.com")
137
.withNewTo()
138
.withKind("Service")
139
.withName("my-app-service")
140
.endTo()
141
.withNewTls()
142
.withTermination("edge")
143
.withCertificate("-----BEGIN CERTIFICATE-----\n...")
144
.withKey("-----BEGIN PRIVATE KEY-----\n...")
145
.withCaCertificate("-----BEGIN CERTIFICATE-----\n...")
146
.endTls()
147
.endSpec()
148
.build();
149
```
150
151
### Route Information and Status
152
153
```java { .api }
154
// Get route URL
155
Route route = client.routes()
156
.inNamespace("my-project")
157
.withName("my-app")
158
.get();
159
160
String host = route.getSpec().getHost();
161
String protocol = route.getSpec().getTls() != null ? "https" : "http";
162
String url = protocol + "://" + host;
163
164
// Check route status
165
List<RouteIngress> ingress = route.getStatus().getIngress();
166
for (RouteIngress ing : ingress) {
167
String routerName = ing.getRouterName();
168
String host = ing.getHost();
169
List<RouteIngressCondition> conditions = ing.getConditions();
170
171
boolean admitted = conditions.stream()
172
.anyMatch(condition ->
173
"Admitted".equals(condition.getType()) &&
174
"True".equals(condition.getStatus()));
175
}
176
```
177
178
## Network Namespace Operations
179
180
### NetNamespace Operations
181
182
```java { .api }
183
// List all network namespaces (cluster-scoped)
184
NetNamespaceList netNamespaces = client.netNamespaces().list();
185
186
// Get network namespace for a specific project
187
NetNamespace netns = client.netNamespaces()
188
.withName("my-project")
189
.get();
190
191
// Update network namespace (e.g., for network isolation)
192
NetNamespace updated = client.netNamespaces()
193
.withName("my-project")
194
.edit(nns -> new NetNamespaceBuilder(nns)
195
.withNetid(100) // Isolate this namespace
196
.build());
197
```
198
199
### Network Isolation
200
201
```java { .api }
202
// Isolate a project network
203
NetNamespace isolated = client.netNamespaces()
204
.withName("isolated-project")
205
.edit(nns -> new NetNamespaceBuilder(nns)
206
.withNetid(nns.getNetid()) // Keep existing netid for isolation
207
.addToAnnotations("pod.network.openshift.io/multitenant.change-network", "true")
208
.build());
209
210
// Join networks (assign same netid)
211
NetNamespace project1 = client.netNamespaces().withName("project1").get();
212
Integer sharedNetid = project1.getNetid();
213
214
client.netNamespaces()
215
.withName("project2")
216
.edit(nns -> new NetNamespaceBuilder(nns)
217
.withNetid(sharedNetid) // Same netid allows communication
218
.build());
219
```
220
221
## Cluster Network Operations
222
223
### ClusterNetwork Management
224
225
```java { .api }
226
// Get cluster network configuration
227
ClusterNetworkList clusterNetworks = client.clusterNetworks().list();
228
229
ClusterNetwork clusterNetwork = client.clusterNetworks()
230
.withName("default")
231
.get();
232
233
String network = clusterNetwork.getNetwork();
234
String hostSubnetLength = clusterNetwork.getHostsubnetlength().toString();
235
List<ClusterNetworkEntry> serviceNetworks = clusterNetwork.getServiceNetworks();
236
```
237
238
### HostSubnet Operations
239
240
```java { .api }
241
// List all host subnets
242
HostSubnetList hostSubnets = client.hostSubnets().list();
243
244
// Get host subnet for a specific node
245
HostSubnet nodeSubnet = client.hostSubnets()
246
.withName("worker-node-1")
247
.get();
248
249
String subnet = nodeSubnet.getSubnet();
250
String hostIP = nodeSubnet.getHostIP();
251
```
252
253
## Egress Network Policy Operations
254
255
### Creating Egress Policies
256
257
```java { .api }
258
// Create egress network policy
259
EgressNetworkPolicy egressPolicy = new EgressNetworkPolicyBuilder()
260
.withNewMetadata()
261
.withName("default-egress-policy")
262
.withNamespace("my-project")
263
.endMetadata()
264
.withNewSpec()
265
.addNewEgress()
266
.withType("Allow")
267
.withNewTo()
268
.withCidrSelector("10.0.0.0/8")
269
.endTo()
270
.endEgress()
271
.addNewEgress()
272
.withType("Deny")
273
.withNewTo()
274
.withDnsName("blocked-site.com")
275
.endTo()
276
.endEgress()
277
.endSpec()
278
.build();
279
280
EgressNetworkPolicy created = client.egressNetworkPolicies()
281
.inNamespace("my-project")
282
.create(egressPolicy);
283
```
284
285
### Managing Egress Rules
286
287
```java { .api }
288
// Update egress policy to add new rules
289
EgressNetworkPolicy updated = client.egressNetworkPolicies()
290
.inNamespace("my-project")
291
.withName("default-egress-policy")
292
.edit(policy -> new EgressNetworkPolicyBuilder(policy)
293
.editSpec()
294
.addNewEgress()
295
.withType("Allow")
296
.withNewTo()
297
.withDnsName("api.example.com")
298
.endTo()
299
.endEgress()
300
.endSpec()
301
.build());
302
303
// List egress policies
304
EgressNetworkPolicyList policies = client.egressNetworkPolicies()
305
.inNamespace("my-project")
306
.list();
307
```
308
309
## Network Attachment Definition Operations
310
311
### CNI Network Attachments
312
313
```java { .api }
314
// Create network attachment definition for CNI
315
NetworkAttachmentDefinition netAttach = new NetworkAttachmentDefinitionBuilder()
316
.withNewMetadata()
317
.withName("macvlan-network")
318
.withNamespace("my-project")
319
.endMetadata()
320
.withNewSpec()
321
.withConfig("{\n" +
322
" \"cniVersion\": \"0.3.1\",\n" +
323
" \"name\": \"macvlan-network\",\n" +
324
" \"type\": \"macvlan\",\n" +
325
" \"master\": \"eth0\",\n" +
326
" \"mode\": \"bridge\",\n" +
327
" \"ipam\": {\n" +
328
" \"type\": \"host-local\",\n" +
329
" \"subnet\": \"192.168.1.0/24\",\n" +
330
" \"rangeStart\": \"192.168.1.100\",\n" +
331
" \"rangeEnd\": \"192.168.1.200\",\n" +
332
" \"gateway\": \"192.168.1.1\"\n" +
333
" }\n" +
334
"}")
335
.endSpec()
336
.build();
337
338
NetworkAttachmentDefinition created = client.networkAttachmentDefinitions()
339
.inNamespace("my-project")
340
.create(netAttach);
341
```
342
343
### Using Network Attachments in Pods
344
345
```java { .api }
346
// Create pod with additional network attachment
347
Pod podWithNetworking = new PodBuilder()
348
.withNewMetadata()
349
.withName("multi-network-pod")
350
.withNamespace("my-project")
351
.addToAnnotations("k8s.v1.cni.cncf.io/networks", "macvlan-network")
352
.endMetadata()
353
.withNewSpec()
354
.addNewContainer()
355
.withName("app")
356
.withImage("nginx")
357
.endContainer()
358
.endSpec()
359
.build();
360
```
361
362
## Advanced Network Operations
363
364
### Network Monitoring and Troubleshooting
365
366
```java { .api }
367
// Watch route changes
368
client.routes()
369
.inNamespace("my-project")
370
.watch(new Watcher<Route>() {
371
@Override
372
public void eventReceived(Action action, Route route) {
373
System.out.println("Route " + action + ": " +
374
route.getMetadata().getName() +
375
" -> " + route.getSpec().getHost());
376
}
377
378
@Override
379
public void onClose(WatcherException cause) {
380
System.out.println("Route watch closed: " + cause.getMessage());
381
}
382
});
383
384
// Check route connectivity
385
Route route = client.routes()
386
.inNamespace("my-project")
387
.withName("my-app")
388
.get();
389
390
if (route != null && route.getStatus() != null) {
391
List<RouteIngress> ingresses = route.getStatus().getIngress();
392
for (RouteIngress ingress : ingresses) {
393
boolean isAdmitted = ingress.getConditions().stream()
394
.anyMatch(condition ->
395
"Admitted".equals(condition.getType()) &&
396
"True".equals(condition.getStatus()));
397
398
System.out.println("Route " + ingress.getHost() +
399
" admitted by " + ingress.getRouterName() + ": " + isAdmitted);
400
}
401
}
402
```
403
404
## Usage Examples
405
406
### Complete Route Setup Example
407
408
```java
409
import io.fabric8.openshift.client.OpenShiftClient;
410
import io.fabric8.openshift.api.model.*;
411
412
public class RouteManager {
413
private final OpenShiftClient client;
414
415
public RouteManager(OpenShiftClient client) {
416
this.client = client;
417
}
418
419
public String exposeService(String namespace, String serviceName,
420
String hostname, boolean secure) {
421
Route route = createRoute(namespace, serviceName, hostname, secure);
422
waitForRouteAdmission(namespace, route.getMetadata().getName());
423
424
String protocol = secure ? "https" : "http";
425
String url = protocol + "://" + route.getSpec().getHost();
426
427
System.out.println("Service exposed at: " + url);
428
return url;
429
}
430
431
private Route createRoute(String namespace, String serviceName,
432
String hostname, boolean secure) {
433
RouteBuilder routeBuilder = new RouteBuilder()
434
.withNewMetadata()
435
.withName(serviceName + "-route")
436
.withNamespace(namespace)
437
.addToLabels("app", serviceName)
438
.endMetadata()
439
.withNewSpec()
440
.withHost(hostname)
441
.withNewTo()
442
.withKind("Service")
443
.withName(serviceName)
444
.withWeight(100)
445
.endTo();
446
447
if (secure) {
448
routeBuilder.editSpec()
449
.withNewTls()
450
.withTermination("edge")
451
.withInsecureEdgeTerminationPolicy("Redirect")
452
.endTls()
453
.endSpec();
454
}
455
456
Route route = routeBuilder.build();
457
458
return client.routes()
459
.inNamespace(namespace)
460
.createOrReplace(route);
461
}
462
463
private void waitForRouteAdmission(String namespace, String routeName) {
464
client.routes()
465
.inNamespace(namespace)
466
.withName(routeName)
467
.waitUntilCondition(route -> {
468
if (route.getStatus() == null || route.getStatus().getIngress() == null) {
469
return false;
470
}
471
472
return route.getStatus().getIngress().stream()
473
.anyMatch(ingress ->
474
ingress.getConditions().stream()
475
.anyMatch(condition ->
476
"Admitted".equals(condition.getType()) &&
477
"True".equals(condition.getStatus())));
478
}, 2, TimeUnit.MINUTES);
479
}
480
481
public void setupNetworkIsolation(String namespace1, String namespace2,
482
boolean allowCommunication) {
483
if (allowCommunication) {
484
// Join network namespaces
485
NetNamespace ns1 = client.netNamespaces().withName(namespace1).get();
486
Integer netid = ns1.getNetid();
487
488
client.netNamespaces()
489
.withName(namespace2)
490
.edit(nns -> new NetNamespaceBuilder(nns)
491
.withNetid(netid)
492
.build());
493
} else {
494
// Isolate network namespaces
495
client.netNamespaces()
496
.withName(namespace1)
497
.edit(nns -> new NetNamespaceBuilder(nns)
498
.withNetid(nns.getNetid()) // Keep unique netid
499
.build());
500
501
client.netNamespaces()
502
.withName(namespace2)
503
.edit(nns -> new NetNamespaceBuilder(nns)
504
.withNetid(nns.getNetid()) // Keep unique netid
505
.build());
506
}
507
}
508
}
509
```
510
511
### Network Security Policy Example
512
513
```java
514
public class NetworkSecurityManager {
515
private final OpenShiftClient client;
516
517
public NetworkSecurityManager(OpenShiftClient client) {
518
this.client = client;
519
}
520
521
public void setupEgressPolicies(String namespace) {
522
// Allow internal cluster communication
523
EgressNetworkPolicy internalPolicy = new EgressNetworkPolicyBuilder()
524
.withNewMetadata()
525
.withName("allow-internal")
526
.withNamespace(namespace)
527
.endMetadata()
528
.withNewSpec()
529
// Allow cluster internal networks
530
.addNewEgress()
531
.withType("Allow")
532
.withNewTo()
533
.withCidrSelector("10.0.0.0/8")
534
.endTo()
535
.endEgress()
536
.addNewEgress()
537
.withType("Allow")
538
.withNewTo()
539
.withCidrSelector("172.16.0.0/12")
540
.endTo()
541
.endEgress()
542
.addNewEgress()
543
.withType("Allow")
544
.withNewTo()
545
.withCidrSelector("192.168.0.0/16")
546
.endTo()
547
.endEgress()
548
// Allow DNS
549
.addNewEgress()
550
.withType("Allow")
551
.withNewTo()
552
.withDnsName("*.cluster.local")
553
.endTo()
554
.endEgress()
555
// Allow specific external services
556
.addNewEgress()
557
.withType("Allow")
558
.withNewTo()
559
.withDnsName("api.github.com")
560
.endTo()
561
.endEgress()
562
// Deny all other external traffic
563
.addNewEgress()
564
.withType("Deny")
565
.withNewTo()
566
.withCidrSelector("0.0.0.0/0")
567
.endTo()
568
.endEgress()
569
.endSpec()
570
.build();
571
572
client.egressNetworkPolicies()
573
.inNamespace(namespace)
574
.createOrReplace(internalPolicy);
575
}
576
}
577
```
578
579
## Types
580
581
### Route
582
583
```java { .api }
584
public class Route implements HasMetadata {
585
public ObjectMeta getMetadata();
586
public RouteSpec getSpec();
587
public RouteStatus getStatus();
588
}
589
590
public class RouteSpec {
591
public String getHost();
592
public String getSubdomain();
593
public RouteTargetReference getTo();
594
public List<RouteTargetReference> getAlternateBackends();
595
public RoutePort getPort();
596
public TLSConfig getTls();
597
public String getWildcardPolicy(); // None, Subdomain
598
}
599
600
public class RouteStatus {
601
public List<RouteIngress> getIngress();
602
}
603
604
public class RouteIngress {
605
public String getHost();
606
public String getRouterName();
607
public List<RouteIngressCondition> getConditions();
608
public String getWildcardPolicy();
609
public String getRouterCanonicalHostname();
610
}
611
612
public class TLSConfig {
613
public String getTermination(); // edge, passthrough, reencrypt
614
public String getCertificate();
615
public String getKey();
616
public String getCaCertificate();
617
public String getDestinationCACertificate();
618
public String getInsecureEdgeTerminationPolicy(); // Allow, Disable, Redirect
619
}
620
```
621
622
### NetNamespace
623
624
```java { .api }
625
public class NetNamespace implements HasMetadata {
626
public ObjectMeta getMetadata();
627
public Integer getNetid();
628
public List<String> getEgressIPs();
629
}
630
```
631
632
### ClusterNetwork
633
634
```java { .api }
635
public class ClusterNetwork implements HasMetadata {
636
public ObjectMeta getMetadata();
637
public String getNetwork();
638
public Integer getHostsubnetlength();
639
public List<ClusterNetworkEntry> getServiceNetworks();
640
public String getPluginName();
641
}
642
```
643
644
### EgressNetworkPolicy
645
646
```java { .api }
647
public class EgressNetworkPolicy implements HasMetadata {
648
public ObjectMeta getMetadata();
649
public EgressNetworkPolicySpec getSpec();
650
}
651
652
public class EgressNetworkPolicySpec {
653
public List<EgressNetworkPolicyRule> getEgress();
654
}
655
656
public class EgressNetworkPolicyRule {
657
public String getType(); // Allow, Deny
658
public EgressNetworkPolicyPeer getTo();
659
}
660
661
public class EgressNetworkPolicyPeer {
662
public String getCidrSelector();
663
public String getDnsName();
664
}
665
```
666
667
### NetworkAttachmentDefinition
668
669
```java { .api }
670
public class NetworkAttachmentDefinition implements HasMetadata {
671
public ObjectMeta getMetadata();
672
public NetworkAttachmentDefinitionSpec getSpec();
673
}
674
675
public class NetworkAttachmentDefinitionSpec {
676
public String getConfig(); // CNI configuration JSON
677
}
678
```