3

I need to restrict pod egress traffic to external destinations. Pod should be able to access any destination on the internet and all cluster internal destinations should be denied.

This is what I tried and it is not passing validation:

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: test
spec:
  workloadSelector:
    labels:
      k8s-app: mypod

  outboundTrafficPolicy:
    mode: REGISTRY_ONLY    

  egress: 
    - hosts:
        - 'default/*'

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: all-external

spec:
  location: MESH_EXTERNAL
  resolution: DNS
  hosts:
    - '*'
  ports:
    - name: http
      protocol: HTTP
      number: 80
    - name: https
      protocol: TLS
      number: 443

Istio 1.11.4

Jonas
  • 4,683
  • 4
  • 45
  • 81
  • What's the namespace of the `ServiceEntry`? – Chris Nov 04 '21 at 14:50
  • I fixed namespace in `sidecar`. My question is: what is the right way to restrict cluster network and allow everything outside? I guess `sidecar` + `serviceentry` is not capable of doing this. – Jonas Nov 05 '21 at 08:17
  • Why not use [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)? You can allow all egress and deny all ingress with it. –  Nov 05 '21 at 08:27
  • I am interested in limiting only egress traffic. Pod should be able to connect to any host outside the cluster and not to the cluster services/pods (except istio sidecar<->istiod). – Jonas Nov 05 '21 at 09:00
  • Unless your application explicitly makes requests to other pods, there should be no need to restrict traffic. I'm afraid that completely blocking traffic to a pod may result in pod constantly failing health checks, and going into CrashLoopBackOff state. –  Nov 05 '21 at 13:11

1 Answers1

1

I did it using NetworkPolicy. Allow traffic to kubernetes and istio related services (could be more restrictive not just based on the namespace):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myapp-eg-system

spec:
  podSelector:
    matchLabels:
      app: myapp

  policyTypes:
    - Egress

  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: istio-system

Allow anything except cluster network IP space:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myapp-eg-app

spec:
  podSelector:
    matchLabels:
      app: myapp

  policyTypes:
    - Egress

  egress:
    - to:
      # Restrict to external traffic
      - ipBlock:
          cidr: '0.0.0.0/0'
          except:
            - '172.0.0.0/8'

      - podSelector:
          matchLabels:
            app: myapp

      ports:
        - protocol: TCP
Jonas
  • 4,683
  • 4
  • 45
  • 81