This guide demonstrates a client within the service mesh accessing destinations external to the mesh using OSM’s Egress capability to passthrough traffic to unknown destinations without an Egress policy.

Prerequisites

  • Kubernetes cluster running Kubernetes v1.20.0 or greater.
  • Have OSM installed.
  • Have kubectl available to interact with the API server.
  • Have osm CLI available for managing the service mesh.

HTTP(S) mesh-wide Egress passthrough demo

  1. Enable global egress passthrough if not enabled:

    1. export osm_namespace=osm-system # Replace osm-system with the namespace where OSM is installed
    2. kubectl patch meshconfig osm-mesh-config -n "$osm_namespace" -p '{"spec":{"traffic":{"enableEgress":true}}}'  --type=merge

  2. Deploy the curl client into the curl namespace after enrolling its namespace to the mesh.

    1. # Create the curl namespace
    2. kubectl create namespace curl
    4. # Add the namespace to the mesh
    5. osm namespace add curl
    7. # Deploy curl client in the curl namespace
    8. kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.1/manifests/samples/curl/curl.yaml -n curl

    Confirm the curl client pod is up and running.

    1. $ kubectl get pods -n curl
    2. NAME                    READY   STATUS    RESTARTS   AGE
    3. curl-54ccc6954c-9rlvp   2/2     Running   0          20s

  3. Confirm the curl client is able to make successful HTTPS requests to the httpbin.org website on port 443.

    1. $ kubectl exec -n curl -ti "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')" -c curl -- curl -I https://httpbin.org:443
    2. HTTP/2 200
    3. date: Tue, 16 Mar 2021 22:19:00 GMT
    4. content-type: text/html; charset=utf-8
    5. content-length: 9593
    6. server: gunicorn/19.9.0
    7. access-control-allow-origin: *
    8. access-control-allow-credentials: true

    A 200 OK response indicates the HTTPS request from the curl client to the httpbin.org website was successful.

  4. Confirm the HTTPS requests fail when mesh-wide egress is disabled.

    1. kubectl patch meshconfig osm-mesh-config -n "$osm_namespace" -p '{"spec":{"traffic":{"enableEgress":false}}}'  --type=merge
    1. $ kubectl exec -n curl -ti "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')" -c curl -- curl -I https://httpbin.org:443
    2.   curl: (7) Failed to connect to httpbin.org port 443 after 3 ms: Connection refused
    3.   command terminated with exit code 7