Egress Gateway Passthrough to Unknown Destinations

Accessing external services via Egress Gateway without Egress policies

This guide demonstrates a client within the service mesh accessing destinations external to the mesh via egress gateway using FSM’s Egress capability to passthrough traffic to unknown destinations without an Egress policy.

Prerequisites

Kubernetes cluster version v1.19.0 or higher.
Interact with the API server using kubectl.
FSM CLI installed.
FSM Ingress Controller installed followed by installation document

Egress Gateway passthrough demo

Deploy egress gateway via fsm.
```
fsm install --set=fsm.egressGateway.enabled=true
```
Or, enable egress gateway with FSM CLI.
```
fsm egressgateway enable
```
There are more options supported by fsm egressgateway enable.

Enable global egress passthrough if not enabled:

export FSM_NAMESPACE=fsm-system # Replace fsm-system with the namespace where FSM is installed
kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enableEgress":true}}}' --type=merge

Deploy the curl client into the curl namespace after enrolling its namespace to the mesh.

# Create the curl namespace
kubectl create namespace curl

# Add the namespace to the mesh
fsm namespace add curl

# Deploy curl client in the curl namespace
kubectl apply -n curl -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/samples/curl/curl.yaml

Confirm the curl client pod is up and running.

kubectl get pods -n curl 
NAME                    READY   STATUS    RESTARTS   AGE
curl-7bb5845476-8s9kv   2/2     Running   0          29s

Confirm the curl client is able to make successful HTTP requests to the httpbin.org website on port 80.

kubectl exec "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}')" -n curl -c curl -- curl -sI http://httpbin.org:80/get
HTTP/1.1 200 OK
Date: Fri, 27 Jan 2023 22:27:53 GMT
Content-Type: application/json
Content-Length: 258
Connection: keep-alive
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

A 200 OK response indicates the HTTP request from the curl client to the httpbin.org website was successful.

Confirm the HTTP requests fail when mesh-wide egress is disabled.

kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enableEgress":false}}}'  --type=merge

kubectl exec "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}')" -n curl -c curl -- curl -sI http://httpbin.org:80/get
command terminated with exit code 7

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 18, 2024: fix workflow issue (c83135d)