This document describes the steps required to enable access to the Internet and services external to the service mesh, sometimes referred to as egress
traffic.
OSM redirects all outbound traffic from a pod within the mesh to the pod's sidecar proxy. Outbound traffic can be classified into two categories:
- Traffic to services within the mesh cluster, referred to as in-mesh traffic
- Traffic to services external to the mesh cluster, referred to as egress traffic
While in-mesh traffic is routed based on L7 traffic policies, egress traffic is routed differently and is not subject to in-mesh traffic policies. OSM supports access to external services as a passthrough without subjecting such traffic to filtering policies.
Enabling egress is done via a global setting. The setting is toggled on or off and affects all services in the mesh. Egress is enabled by default when OSM is installed.
Egress can be enabled during OSM install or post install. When egress is enabled, outbound traffic from pods are allowed to egress the pod as long as the traffic does not match in-mesh traffic policies that otherwise deny the traffic.
Egress can be configured using either of the following ways.
-
During OSM install (default
--enable-egress=false
)osm install --enable-egress
-
Post OSM install
osm-controller
retrieves the egress configuration from theosm-config
ConfigMap in its namespace (osm-system
by default). Patch the ConfigMap by settingegress: "true"
.kubectl patch ConfigMap osm-config -n osm-system -p '{"data":{"egress":"true"}}' --type=merge
Similar to enabling egress, egress can be disabled during OSM install or post install.
-
During OSM install
bin osm install --enable-egress=false
-
Post OSM install Patch the
osm-config
ConfigMap and setegress: "false"
.kubectl patch ConfigMap osm-config -n osm-system -p '{"data":{"egress":"false"}}' --type=merge
With egress disabled, traffic from pods within the mesh will not be able to access external services outside the cluster.