Egress Gateway Policy
This guide demonstrates a client within the service mesh accessing destinations external to the mesh via egress gateway using FSM’s Egress policy API.
Prerequisites
- Kubernetes cluster version v1.19.0 or higher.
- Interact with the API server using
kubectl
. - FSM CLI installed.
- FSM Ingress Controller installed followed by installation document
Egress Gateway passthrough demo
Deploy egress gateway during FSM installation.
fsm install --set=fsm.egressGateway.enabled=true
Or, enable egress gateway with FSM CLI.
fsm egressgateway enable
There are more options supported by
fsm egressgateway enable
.Disable global egress passthrough to enable egress policy if not disabled:
export FSM_NAMESPACE=fsm-system # Replace fsm-system with the namespace where FSM is installed kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enableEgress":false}}}' --type=merge
Deploy the
curl
client into thecurl
namespace after enrolling its namespace to the mesh.# Create the curl namespace kubectl create namespace curl # Add the namespace to the mesh fsm namespace add curl # Deploy curl client in the curl namespace kubectl apply -n curl -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/main/manifests/samples/curl/curl.yaml
Confirm the
curl
client pod is up and running.kubectl get pods -n curl NAME READY STATUS RESTARTS AGE curl-7bb5845476-8s9kv 2/2 Running 0 29s
Confirm the
curl
client is unable make the HTTP requesthttp://httpbin.org:80/get
to thehttpbin.org
website on port80
.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get command terminated with exit code 7
Apply an Egress policy to allow the
curl
client’s ServiceAccount to access thehttpbin.org
website on port80
serving thehttp
protocol.kubectl apply -f - <<EOF kind: Egress apiVersion: policy.flomesh.io/v1alpha1 metadata: name: httpbin-80 namespace: curl spec: sources: - kind: ServiceAccount name: curl namespace: curl hosts: - httpbin.org ports: - number: 80 protocol: http EOF
Confirm the
curl
client is able to make successful HTTP requests tohttp://httpbin.org:80/get
.kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{.items..metadata.name}') -n curl -c curl -- curl -sI http://httpbin.org:80/get HTTP/1.1 200 OK date: Fri, 27 Jan 2023 22:31:46 GMT content-type: application/json content-length: 314 server: gunicorn/19.9.0 access-control-allow-origin: * access-control-allow-credentials: true connection: keep-alive
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.