I need to restrict pod egress traffic to external destinations. Pod should be able to access any destination on the internet and all cluster internal destinations should be denied.
This is what I tried and it is not passing validation:
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: test
spec:
workloadSelector:
labels:
k8s-app: mypod
outboundTrafficPolicy:
mode: REGISTRY_ONLY
egress:
- hosts:
- 'default/*'
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: all-external
spec:
location: MESH_EXTERNAL
resolution: DNS
hosts:
- '*'
ports:
- name: http
protocol: HTTP
number: 80
- name: https
protocol: TLS
number: 443
Istio 1.11.4
I did it using NetworkPolicy. Allow traffic to kubernetes and istio related services (could be more restrictive not just based on the namespace):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: myapp-eg-system
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: istio-system
Allow anything except cluster network IP space:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: myapp-eg-app
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Egress
egress:
- to:
# Restrict to external traffic
- ipBlock:
cidr: '0.0.0.0/0'
except:
- '172.0.0.0/8'
- podSelector:
matchLabels:
app: myapp
ports:
- protocol: TCP