Skip to main content
Version: 1.4.x

Egress Gateway

EgressGateway configures a workload to act as a gateway for traffic exiting the mesh. The egress gateway is meant to be the destination of unknown traffic within the mesh (traffic sent to non-mesh services). The gateway allows authorization control of traffic sent to it to more finely tune which services are allowed to send unknown traffic through the gateway. Only HTTP is supported at this time.

The following example declares an egress gateway running on pods in istio-system with the label app=istio-egressgateway. This gateway is setup to allow traffic from anywhere in the cluster to access www.httpbin.org and from the bookinfo details app specifically, you can access any external host. EgressGateways need to be paired with TrafficSettings in order to be usable. You must set the egress field in the TrafficSettings to point to the egress gateway and send traffic to port 15443. Once this is set up, mesh internal apps will send unknown traffic to the egress gateway over mTLS. The gateway will then decide whether to forward the traffic or not, and use one-way TLS for external calls.

apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
name: my-egress
group: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
workloadSelector:
namespace: ns1
labels:
app: istio-egressgateway
authorization:
- from:
mode: WORKSPACE
to: ["www.httpbin.org"]
- from:
mode: CUSTOM
serviceAccounts: ["default/bookinfo-details"]
to: ["*"]
apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
reachability:
mode: CUSTOM
hosts:
- "./*"
- "istio-system/*"
egress:
host: istio-system/istio-egressgateway.istio-system.svc.cluster.local

EgressAuthorization

EgressAuthorization is used to dictate which service accounts can access a set of external hosts

FieldDescriptionValidation Rule

from

tetrateio.api.tsb.security.v2.AuthorizationSettings
The workloads or service accounts this authorization rule applies to. If not set, the rule applies to all workloads or service accounts.

to

List of string
REQUIRED
The external hostnames the workload(s) described in this rule can access. Hosts cannot be specified more than once. Use "*" to allow access to any external host

repeated = {
  min_items: 1
}

EgressGateway

EgressGateway configures a workload to act as an egress gateway in the mesh.

FieldDescriptionValidation Rule

workloadSelector

tetrateio.api.tsb.types.v2.WorkloadSelector
REQUIRED
Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway. There can be only one gateway for a workload selector in a namespace.

message = {
  required: true
}

authorization

List of tetrateio.api.tsb.gateway.v2.EgressAuthorization
The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.