Egress Gateway Policy

Accessing external services via Egress Gateway using Egress policies

This guide demonstrates a client within the service mesh accessing destinations external to the mesh via egress gateway using FSM’s Egress policy API.

Prerequisites

Kubernetes cluster version v1.19.0 or higher.
Interact with the API server using kubectl.
FSM CLI installed.
FSM Ingress Controller installed followed by installation document

Egress Gateway passthrough demo

Deploy egress gateway during FSM installation.
```
fsm install --set=fsm.egressGateway.enabled=true
```
Or, enable egress gateway with FSM CLI.
```
fsm egressgateway enable
```
There are more options supported by fsm egressgateway enable.

Disable global egress passthrough to enable egress policy if not disabled:

export FSM_NAMESPACE=fsm-system # Replace fsm-system with the namespace where FSM is installed
kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enableEgress":false}}}'  --type=merge

Deploy the curl client into the curl namespace after enrolling its namespace to the mesh.

# Create the curl namespace
kubectl create namespace curl

# Add the namespace to the mesh
fsm namespace add curl

# Deploy curl client in the curl namespace
kubectl apply -n curl -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/samples/curl/curl.yaml

Confirm the curl client pod is up and running.

kubectl get pods -n curl 
NAME                    READY   STATUS    RESTARTS   AGE
curl-7bb5845476-8s9kv   2/2     Running   0          29s

Confirm the curl client is unable make the HTTP request http://httpbin.org:80/get to the httpbin.org website on port 80.

kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get
command terminated with exit code 7

Apply an Egress policy to allow the curl client’s ServiceAccount to access the httpbin.org website on port 80 serving the http protocol.

kubectl apply -f - <<EOF
kind: Egress
apiVersion: policy.flomesh.io/v1alpha1
metadata:
  name: httpbin-80
  namespace: curl
spec:
  sources:
  - kind: ServiceAccount
    name: curl
    namespace: curl
  hosts:
  - httpbin.org
  ports:
  - number: 80
    protocol: http
EOF

Confirm the curl client is able to make successful HTTP requests to http://httpbin.org:80/get.

kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get
HTTP/1.1 200 OK
date: Fri, 27 Jan 2023 22:31:46 GMT
content-type: application/json
content-length: 314
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true
connection: keep-alive

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 18, 2024: fix workflow issue (c83135d)