Restricting traffic to egress on different namespaces and public facing ip addresses

Lukes · December 16, 2022, 5:11pm

Hi all,

I am trying to solve a problem for restricting the egress traffic on various namespaces and public facing ip addresses. For example i have 3 namespaces A, B and C. For namespace A and B, i want to restrict any egress traffic between them only, and don’t want them to have access to external world(Any public facing websites shouldn’t be reachable). And for namespace C, i want to restrict the egress traffic to external world only(I have pods running in this namespace which will make calls to public urls), any access within the cluster should be denied(Which mean no access to any other namespace such as A, B, kube-public, default, etc). I am able to restrict the egress on Namespace A and B, buy using meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY and then in sidecar configuration on Namespace A and B:

spec:
egress:
hosts:

But now problem is, how do i enable the outbound traffic to external world(all public ip only, no private/cluster) in namespace C ? Below are the solutions i thought could be used, but i don’t find any good solution and also wanted to get the recommendation from the experts

Use ServiceEntry : This is good if you know the host list upfront, which is not possible. As we should be able to reach any external url(http or https)

**global.proxy.includeIPRanges** : I didn't find any good example. Is it the right approach ?

**Any other** ? I am using flannel as CNI, and there are issues with Calico so can't use that.

Thanks in advance.

Just to provide an update on this thread, this might help for users in future. I was able to achieve what i needed. Below are the samples

Disable default behavior of allowing the traffic from ANY to REGISTRY_ONLY by setting meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
Next, set the sidecar to allow the traffic between namespaces, below is the sample

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: default
  namespace: namespaceA
spec:
  egress:
  - hosts:
    - "namespaceB/*"
    - "istio-system/*"

*Now setup the ServiceEntry to allow the external serivce(public facing). For me it took some time to find few things as how do apply this to only namespaceC(By default, this policy will be visible and applied to all the namespaces. So used “exportTo” property. Next catch was, like in my case i don’t know the list of external IP’s/host upfront. I am using the regular pattern on domains such as *.com, *.edu and so on. Below is the sample.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: https
spec:
  hosts:
  - "*.com"
  - "*.org"
  exportTo:
    - "namespaceC"
  ports:
  - number: 443
    name: https
    protocol: HTTPS

There might be another way of achieving this, please let me know if anyone has any suggestion or recommendation.

Thanks in advance.

Topic		Replies	Views
Sidecar CRD behaviour on adding outboundTrafficPolicy as ALLOW_ANY Networking	2	402	January 12, 2021
Does setting up sidecar egress rule affect transparent proxying of external traffic	1	438	December 11, 2019
Sidecar resource and VirtualService:exportTo relation Networking	1	454	May 29, 2019
External Traffic: meshConfig.outboundTrafficPolicy.mode necessary? Networking	1	249	February 9, 2023
REGISTRY_ONLY policy blocks access to the kube api-server Networking security	0	439	May 30, 2022

Restricting traffic to egress on different namespaces and public facing ip addresses

Related Topics