Skip to content

Latest commit

 

History

History
69 lines (46 loc) · 2.86 KB

using-egress-access-controls.md

File metadata and controls

69 lines (46 loc) · 2.86 KB

Module 4: Using egress access controls

Goal: Configure egress access for specific workloads.

Steps

  1. Test connectivity within the cluster and to the external endpoint.

    a. Test connectivity between dev/centos pod and default/frontend pod.

    # test connectivity from dev namespace to default namespace
kubectl -n dev exec -t centos -- sh -c 'curl -m3 -sI http://frontend.default 2>/dev/null | grep -i http'

    b. Test connectivity from dev/centos to the external endpoint.

    # test connectivity from dev namespace to the Internet
kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://api.twilio.com 2>/dev/null | grep -i http'
kubectl -n dev exec -t centos -- sh -c 'curl -m3 -sI http://www.google.com 2>/dev/null | grep -i http'

    The access should be denied as the policies configured in previous module do not allow it.

  2. Implement egress policy to allow egress access from a workload in one namespace, e.g. dev/centos, to a service in another namespace, e.g. default/frontend.

    a. Deploy egress policy.

    kubectl apply -f demo/20-egress-access-controls/centos-to-frontend.yaml

    b. Test connectivity between dev/centos pod and default/frontend service.

    kubectl -n dev exec -t centos -- sh -c 'curl -m3 -sI http://frontend.default 2>/dev/null | grep -i http'

    The access should be allowed once the egress policy is in place.

  3. Implement DNS policy to allow the external endpoint access from a specific workload, e.g. dev/centos.

    a. Apply a policy to allow access to api.twilio.com endpoint using DNS rule.

    # deploy dns policy
kubectl apply -f demo/20-egress-access-controls/dns-policy.yaml

# test egress access to api.twilio.com
kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://api.twilio.com 2>/dev/null | grep -i http'
# test egress access to www.google.com
kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://www.google.com 2>/dev/null | grep -i http'

    Access to the api.twilio.com endpoint should be allowed by the DNS policy but not to any other external endpoints like www.google.com unless we modify the policy to include that domain name.

    b. Edit the policy to use a NetworkSet instead of inline DNS rule.

    # deploy network set
kubectl apply -f demo/20-egress-access-controls/netset.external-apis.yaml
# deploy DNS policy using the network set
kubectl apply -f demo/20-egress-access-controls/dns-policy.netset.yaml

    As a bonus example, you can modify the external-apis network set to include *.google.com domain name which would allow access to Google subdomains. If you do it, you can would allow acess to subdomains like www.google.com, docs.google.com, etc.

Next -> Module 5