Egress Gateway
EgressGateway
configures a workload to act as a gateway for
traffic exiting the mesh. The egress gateway is meant to be the destination
of unknown traffic within the mesh (traffic sent to non-mesh services). The
gateway allows authorization control of traffic sent to it to more finely tune
which services are allowed to send unknown traffic through the gateway. Only HTTP
is supported at this time.
The following example declares an egress gateway running on pods in istio-system
with the label app=istio-egressgateway. This gateway is setup to allow traffic
from anywhere in the cluster to access www.httpbin.org and from the bookinfo details app
specifically, you can access any external host. EgressGateway
s need to be paired
with TrafficSetting
s in order to be usable. You must set the egress
field in the
TrafficSetting
s to point to the egress gateway and send traffic to port 15443. Once
this is set up, mesh internal apps will send unknown traffic to the egress gateway over mTLS.
The gateway will then decide whether to forward the traffic or not, and use one-way TLS for
external calls.
apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
name: my-egress
group: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
workloadSelector:
namespace: ns1
labels:
app: istio-egressgateway
authorization:
- from:
mode: WORKSPACE
to: ["www.httpbin.org"]
- from:
mode: CUSTOM
serviceAccounts: ["default/bookinfo-details"]
to: ["*"]
apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
reachability:
mode: CUSTOM
hosts:
- "./*"
- "istio-system/*"
egress:
host: istio-system/istio-egressgateway.istio-system.svc.cluster.local
The following example customizes the Extensions
field to enable
the execution of the specified WasmExtensions list and details
custom properties for the execution of each extension.
apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
name: my-egress
group: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
workloadSelector:
namespace: ns1
labels:
app: istio-egressgateway
authorization:
- from:
mode: WORKSPACE
to: ["www.httpbin.org"]
- from:
mode: CUSTOM
serviceAccounts: ["default/bookinfo-details"]
to: ["*"]
extension:
- fqn: hello-world # fqn of imported extensions in TSB
config:
foo: bar
EgressAuthorization
EgressAuthorization is used to dictate which service accounts can access a set of external hosts
Field | Description | Validation Rule |
---|---|---|
from | tetrateio.api.tsb.security.v2.AuthorizationSettings | – |
to | List of string | repeated = { |
EgressGateway
EgressGateway
configures a workload to act as an egress gateway in the mesh.
-->
Field | Description | Validation Rule |
---|---|---|
workloadSelector | tetrateio.api.tsb.types.v2.WorkloadSelector | message = { |
authorization | List of tetrateio.api.tsb.gateway.v2.EgressAuthorization | – |
extension | List of tetrateio.api.tsb.types.v2.WasmExtensionAttachment | – |
configGenerationMetadata | tetrateio.api.tsb.types.v2.ConfigGenerationMetadata | – |