Egress Gateway Policy

Accessing external services via Egress Gateway using Egress policies

This guide demonstrates a client within the service mesh accessing destinations external to the mesh via egress gateway using FSM’s Egress policy API.


  • Kubernetes cluster version v1.19.0 or higher.
  • Interact with the API server using kubectl.
  • FSM CLI installed.
  • FSM Ingress Controller installed followed by installation document

Egress Gateway passthrough demo

  1. Deploy egress gateway during FSM installation.

    fsm install --set=fsm.egressGateway.enabled=true

    Or, enable egress gateway with FSM CLI.

    fsm egressgateway enable

    There are more options supported by fsm egressgateway enable.

  2. Disable global egress passthrough to enable egress policy if not disabled:

    export FSM_NAMESPACE=fsm-system # Replace fsm-system with the namespace where FSM is installed
    kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enableEgress":false}}}'  --type=merge
  3. Deploy the curl client into the curl namespace after enrolling its namespace to the mesh.

    # Create the curl namespace
    kubectl create namespace curl
    # Add the namespace to the mesh
    fsm namespace add curl
    # Deploy curl client in the curl namespace
    kubectl apply -n curl -f

    Confirm the curl client pod is up and running.

    kubectl get pods -n curl 
    NAME                    READY   STATUS    RESTARTS   AGE
    curl-7bb5845476-8s9kv   2/2     Running   0          29s
  4. Confirm the curl client is unable make the HTTP request to the website on port 80.

    kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{}') -n curl -c curl -- curl -sI
    command terminated with exit code 7
  5. Apply an Egress policy to allow the curl client’s ServiceAccount to access the website on port 80 serving the http protocol.

    kubectl apply -f - <<EOF
    kind: Egress
      name: httpbin-80
      namespace: curl
      - kind: ServiceAccount
        name: curl
        namespace: curl
      - number: 80
        protocol: http
  6. Confirm the curl client is able to make successful HTTP requests to

    kubectl exec $(kubectl get pod -n curl -l app=curl -o jsonpath='{}') -n curl -c curl -- curl -sI
    HTTP/1.1 200 OK
    date: Fri, 27 Jan 2023 22:31:46 GMT
    content-type: application/json
    content-length: 314
    server: gunicorn/19.9.0
    access-control-allow-origin: *
    access-control-allow-credentials: true
    connection: keep-alive


Was this page helpful?