Egress Passthrough to Unknown Destinations
This guide demonstrates a client within the service mesh accessing destinations external to the mesh using FSM’s Egress capability to passthrough traffic to unknown destinations without an Egress policy.
Prerequisites
- Kubernetes cluster version v1.19.0 or higher.
- Interact with the API server using
kubectl. - FSM CLI installed.
- FSM Ingress Controller installed followed by installation document
HTTP(S) mesh-wide Egress passthrough demo
Enable global egress passthrough if not enabled:
export FSM_NAMESPACE=fsm-system # Replace fsm-system with the namespace where FSM is installed kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enableEgress":true}}}' --type=mergeDeploy the
curlclient into thecurlnamespace after enrolling its namespace to the mesh.# Create the curl namespace kubectl create namespace curl # Add the namespace to the mesh fsm namespace add curl # Deploy curl client in the curl namespace kubectl apply -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/main/manifests/samples/curl/curl.yaml -n curlConfirm the
curlclient pod is up and running.kubectl get pods -n curl NAME READY STATUS RESTARTS AGE curl-54ccc6954c-9rlvp 2/2 Running 0 20sConfirm the
curlclient is able to make successful HTTPS requests to thehttpbin.orgwebsite on port443.kubectl exec -n curl -ti "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')" -c curl -- curl -I https://httpbin.org:443 HTTP/2 200 date: Tue, 16 Mar 2021 22:19:00 GMT content-type: text/html; charset=utf-8 content-length: 9593 server: gunicorn/19.9.0 access-control-allow-origin: * access-control-allow-credentials: trueA
200 OKresponse indicates the HTTPS request from thecurlclient to thehttpbin.orgwebsite was successful.Confirm the HTTPS requests fail when mesh-wide egress is disabled.
kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enableEgress":false}}}' --type=mergeLet’s trigger the request again, and you will find it failed this time.
kubectl exec -n curl -ti "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')" -c curl -- curl -I https://httpbin.org:443 curl: (7) Failed to connect to httpbin.org port 443 after 114 ms: Couldn't connect to server
command terminated with exit code 7 ```
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.