EgressNetwork

Linkerd’s egress functionality allows you to monitor and control traffic that leaves the cluster. This behavior is controlled by creating EgressNetwork resources, which describe the properties of traffic that leaves a cluster and provide a way to apply policies to it, using Gateway API primitives.

EgressNetwork - 图1

Warning

No service mesh can provide a strong security guarantee about egress traffic by itself; for example, a malicious actor could bypass the Linkerd sidecar - and thus Linkerd’s egress controls - entirely. Fully restricting egress traffic in the presence of arbitrary applications thus typically requires a more comprehensive approach.

EgressNetwork semantics

An EgressNetwork is essentially a description for a set of traffic destinations that reside outside the cluster. In that sense, it is comparable to a Service, with the main difference being that a Service encompasses a single logical destination while an EgressNetwork can encompass a set of destinations. This set can vary in size - from a single IP address to the entire network space that is not within the boundaries of the cluster.

An EgressNetwork resource by default has several namespace semantics that are worth outlining. EgressNetworks are namespaced resources, which means that they affect only clients within the namespace that they reside in. The only exception is EgressNetworks created in the global egress namespace: these EgressNetworks affect clients in all namespaces. The namespace-local resources take priority. By default the global egress namespace is set to linkerd-egress, but can be configured by setting the egress.globalEgressNetworkNamespace Helm value.

EgressNetwork Spec

An EgressNetwork spec may contain the following top level fields:

fieldvalue
networksA set of network specifications that describe the address space that this EgressNetwork captures
trafficPolicythe default traffic policy for this resource.

networks

This field is used to concretely describe the set of outside networks that this network captures. All traffic to these destinations will be considered as flowing to this EgressNetwork and subject to its traffic policy. If an EgressNetwork does not specify any networks, the EgressNetwork captures the entire IP address space except for the in-cluster networks specified by the clusterNetworks value provided when Linkerd was installed.

fieldvalue
cidrA subnet in CIDR notation.
exceptA list of subnets in CIDR notation to exclude.

trafficPolicy

This field is required and must be either Allow or Deny. If trafficPolicy is set to Allow, all traffic through this EgressNetwork will be let through even if there is no explicit Gateway API Route that describes it. If trafficPolicy is set to Deny, traffic through this EgressNetwork that is not explicitly matched by a Route will be refused.

Example

Below is an example of an EgressNetwork resource that will block all external traffic except HTTPS traffic to httpbin.org on port 443. The later is done via an explicit TLSRoute.

  1. apiVersion: policy.linkerd.io/v1alpha1
  2. kind: EgressNetwork
  3. metadata:
  4.   namespace: linkerd-egress
  5.   name: all-egress-traffic
  6. spec:
  7.   trafficPolicy: Deny
  8. ---
  9. apiVersion: gateway.networking.k8s.io/v1alpha2
  10. kind: TLSRoute
  11. metadata:
  12.   name: tls-egress
  13.   namespace: linkerd-egress
  14. spec:
  15.   hostnames:
  16.   - httpbin.org
  17.   parentRefs:
  18.   - name: all-egress-traffic
  19.     kind: EgressNetwork
  20.     group: policy.linkerd.io
  21.     namespace: linkerd-egress
  22.     port: 443
  23.   rules:
  24.   - backendRefs:
  25.     - kind: EgressNetwork
  26.       group: policy.linkerd.io
  27.       name: all-egress-traffic