Egress Policy
This guide demonstrates a client within the service mesh accessing destinations external to the mesh using FSM’s Egress policy API.
Prerequisites
- Kubernetes cluster version v1.19.0 or higher.
- Interact with the API server using
kubectl. - FSM CLI installed.
- FSM Ingress Controller installed followed by installation document
Demo
Enable egress policy if not enabled, at the same time we should confirm egress passthrough is disabled:
# Replace fsm-system with the namespace where FSM is installed kubectl patch meshconfig fsm-mesh-config -n fsm-system -p '{"spec":{"featureFlags":{"enableEgressPolicy":true},"traffic":{"enableEgress":false}}}' --type=mergeDeploy the
curlclient into thecurlnamespace after enrolling its namespace to the mesh.# Create the curl namespace kubectl create namespace curl # Add the namespace to the mesh fsm namespace add curl # Deploy curl client in the curl namespace kubectl apply -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/samples/curl/curl.yaml -n curlConfirm the
curlclient pod is up and running.kubectl get pods -n curl NAME READY STATUS RESTARTS AGE curl-54ccc6954c-9rlvp 2/2 Running 0 20s
HTTP Egress
Confirm the
curlclient is unable make the HTTP requesthttp://httpbin.org:80/getto thehttpbin.orgwebsite on port80.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get command terminated with exit code 7Apply an Egress policy to allow the
curlclient’s ServiceAccount to access thehttpbin.orgwebsite on port80serving thehttpprotocol.kubectl apply -f - <<EOF kind: Egress apiVersion: policy.flomesh.io/v1alpha1 metadata: name: httpbin-80 namespace: curl spec: sources: - kind: ServiceAccount name: curl namespace: curl hosts: - httpbin.org ports: - number: 80 protocol: http EOFConfirm the
curlclient is able to make successful HTTP requests tohttp://httpbin.org:80/get.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get HTTP/1.1 200 OK date: Mon, 04 Jul 2022 07:48:24 GMT content-type: application/json content-length: 313 server: gunicorn/19.9.0 access-control-allow-origin: * access-control-allow-credentials: true connection: keep-aliveConfirm the
curlclient can no longer make successful HTTP requests tohttp://httpbin.org:80/getwhen the above policy is removed.kubectl delete egress httpbin-80 -n curlkubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get command terminated with exit code 7
HTTPS Egress
Since HTTPS traffic is encrypted with TLS, FSM routes HTTPS based traffic by proxying it to its original destination as a TCP stream. The Server Name Indication (SNI) indicated by the HTTPS client application in the TLS handshake is matched against hosts specified in the Egress policy.
Confirm the
curlclient is unable make the HTTPS requesthttps://httpbin.org:443/getto thehttpbin.orgwebsite on port443.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI https://httpbin.org:443/get command terminated with exit code 7Apply an Egress policy to allow the
curlclient’s ServiceAccount to access thehttpbin.orgwebsite on port443serving thehttpsprotocol.kubectl apply -f - <<EOF kind: Egress apiVersion: policy.flomesh.io/v1alpha1 metadata: name: httpbin-443 namespace: curl spec: sources: - kind: ServiceAccount name: curl namespace: curl hosts: - httpbin.org ports: - number: 443 protocol: https EOFConfirm the
curlclient is able to make successful HTTPS requests tohttps://httpbin.org:443/get.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI https://httpbin.org:443/get HTTP/2 200 date: Thu, 13 May 2021 22:09:36 GMT content-type: application/json content-length: 260 server: gunicorn/19.9.0 access-control-allow-origin: * access-control-allow-credentials: trueConfirm the
curlclient can no longer make successful HTTPS requests tohttps://httpbin.org:443/getwhen the above policy is removed.kubectl delete egress httpbin-443 -n curlkubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI https://httpbin.org:443/get command terminated with exit code 7
TCP Egress
TCP based Egress traffic is matched against the destination port and IP address ranges specified in an egress policy. If an IP address range is not specified, traffic will be matched only based on the destination port.
Confirm the
curlclient is unable make the HTTPS requesthttps://flomesh.io:443to theflomesh.iowebsite on port443. Since HTTPS uses TCP as the underlying transport protocol, TCP based routing should implicitly enable access to any HTTP(s) host on the specified port.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI https://flomesh.io:443 command terminated with exit code 7Apply an Egress policy to allow the
curlclient’s ServiceAccount to access the any destination on port443serving thetcpprotocol.kubectl apply -f - <<EOF kind: Egress apiVersion: policy.flomesh.io/v1alpha1 metadata: name: tcp-443 namespace: curl spec: sources: - kind: ServiceAccount name: curl namespace: curl ports: - number: 443 protocol: tcp EOFNote: For
server-firstprotocols such asMySQL,PostgreSQL, etc., where the server initiates the first bytes of data between the client and server, the protocol must be set totcp-server-firstto indicate to FSM to not perform protocol detection on the port. Protocol detection relies on inspecting the initial bytes of a connection, which is incompatible withserver-firstprotocols. When the port’s protocol is set totcp-server-first, protocol detection is skipped for that port number. It is also important to note thatserver-firstport numbers must not be used for other application ports that require protocol detection to performed, which means the port numbers used forserver-firstprotocols must not be used with other protocols such asHTTPandTCPthat require protocol detection to be performed.Confirm the
curlclient is able to make successful HTTPS requests tohttps://flomesh.io:443.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI https://flomesh.io:443 HTTP/2 200 content-type: text/htmlConfirm the
curlclient can no longer make successful HTTPS requests tohttps://flomesh.io:443when the above policy is removed.kubectl delete egress tcp-443 -n curlkubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI https://flomesh.io:443 command terminated with exit code 7
HTTP Egress with SMI route matches
HTTP Egress policies can specify SMI HTTPRouteGroup matches for fine grained traffic control based on HTTP methods, headers and paths.
Confirm the
curlclient is unable make HTTP requests tohttp://httpbin.org:80/getandhttp://httpbin.org:80/status/200to thehttpbin.orgwebsite on port80.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get command terminated with exit code 7 kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/status/200 command terminated with exit code 7Apply an SMI HTTPRouteGroup resource to allow access to the HTTP path
/getand an Egress policy to access thehttpbin.orgon website port80that matches on the SMI HTTPRouteGroup.kubectl apply -f - <<EOF apiVersion: specs.smi-spec.io/v1alpha4 kind: HTTPRouteGroup metadata: name: egress-http-route namespace: curl spec: matches: - name: get pathRegex: /get --- kind: Egress apiVersion: policy.flomesh.io/v1alpha1 metadata: name: httpbin-80 namespace: curl spec: sources: - kind: ServiceAccount name: curl namespace: curl hosts: - httpbin.org ports: - number: 80 protocol: http matches: - apiGroup: specs.smi-spec.io/v1alpha4 kind: HTTPRouteGroup name: egress-http-route EOFConfirm the
curlclient is able to make successful HTTP requests tohttp://httpbin.org:80/get.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get HTTP/1.1 200 OK date: Thu, 13 May 2021 21:49:35 GMT content-type: application/json content-length: 335 access-control-allow-origin: * access-control-allow-credentials: trueConfirm the
curlclient is unable to make successful HTTP requests tohttp://httpbin.org:80/status/200.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/status/200 HTTP/1.1 403 Forbidden content-length: 13 connection: keep-aliveUpdate the matching SMI HTTPRouteGroup resource to allow requests to HTTP paths matching the regex
/status.*.kubectl apply -f - <<EOF apiVersion: specs.smi-spec.io/v1alpha4 kind: HTTPRouteGroup metadata: name: egress-http-route namespace: curl spec: matches: - name: get pathRegex: /get - name: status pathRegex: /status.* EOFConfirm the
curlclient can now make successful HTTP requests tohttp://httpbin.org:80/status/200.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/status/200 HTTP/1.1 200 OK date: Fri, 14 May 2021 17:10:48 GMT content-type: text/html; charset=utf-8 content-length: 0 access-control-allow-origin: * access-control-allow-credentials: true
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.