Restricting traffic to egress on different namespaces and public facing ip addresses

Hi all,

I am trying to solve a problem for restricting the egress traffic on various namespaces and public facing ip addresses. For example i have 3 namespaces A, B and C. For namespace A and B, i want to restrict any egress traffic between them only, and don’t want them to have access to external world(Any public facing websites shouldn’t be reachable). And for namespace C, i want to restrict the egress traffic to external world only(I have pods running in this namespace which will make calls to public urls), any access within the cluster should be denied(Which mean no access to any other namespace such as A, B, kube-public, default, etc). I am able to restrict the egress on Namespace A and B, buy using meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY and then in sidecar configuration on Namespace A and B:

spec:
egress:
hosts:

But now problem is, how do i enable the outbound traffic to external world(all public ip only, no private/cluster) in namespace C ? Below are the solutions i thought could be used, but i don’t find any good solution and also wanted to get the recommendation from the experts

  • Use ServiceEntry : This is good if you know the host list upfront, which is not possible. As we should be able to reach any external url(http or https)
  • **global.proxy.includeIPRanges** : I didn't find any good example. Is it the right approach ?
    
  • **Any other** ? I am using flannel as CNI, and there are issues with Calico so can't use that.
    

Thanks in advance.

Just to provide an update on this thread, this might help for users in future. I was able to achieve what i needed. Below are the samples

  • Disable default behavior of allowing the traffic from ANY to REGISTRY_ONLY by setting meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY

  • Next, set the sidecar to allow the traffic between namespaces, below is the sample

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: default
  namespace: namespaceA
spec:
  egress:
  - hosts:
    - "namespaceB/*"
    - "istio-system/*"

*Now setup the ServiceEntry to allow the external serivce(public facing). For me it took some time to find few things as how do apply this to only namespaceC(By default, this policy will be visible and applied to all the namespaces. So used “exportTo” property. Next catch was, like in my case i don’t know the list of external IP’s/host upfront. I am using the regular pattern on domains such as *.com, *.edu and so on. Below is the sample.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: https
spec:
  hosts:
  - "*.com"
  - "*.org"
  exportTo:
    - "namespaceC"
  ports:
  - number: 443
    name: https
    protocol: HTTPS

There might be another way of achieving this, please let me know if anyone has any suggestion or recommendation.

Thanks in advance.