You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+46-6Lines changed: 46 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -1,9 +1,9 @@
1
1
# egress-operator
2
2
An operator to produce egress gateway pods and control access to them with network policies, and a coredns plugin to route egress traffic to these pods.
3
3
4
-
The idea is that instead of authorizing egress traffic with protocol inspection,
4
+
The idea is that instead of authorizing egress traffic with protocol inspection,
5
5
you instead create a internal clusterIP for every external service you use, lock
6
-
it down to only a few pods via a network policy, and then set up your dns server
6
+
it down to only a few pods via a network policy, and then set up your dns server
7
7
to resolve the external service to that clusterIP.
8
8
9
9
Built with kubebuilder: https://book.kubebuilder.io/
@@ -22,15 +22,15 @@ In the `egress-operator-system` namespace, it creates:
22
22
2. Your local system must have a recent version of `golang` for building the code, which you can install by following instructions [here](https://golang.org/doc/install).
23
23
3. Your local system must have Kubebuilder for code generation, which you can install by following instructions [here](https://book.kubebuilder.io/quick-start.html).
24
24
4. Your local system must have Kustomize for building the Kubernetes manifests, which you can install by following instructions [here](https://kubernetes-sigs.github.io/kustomize/installation/).
25
-
5. Your cluster must be running CoreDNS instead of kube-dns, which may not be the case if you are using a managed Kubernetes service. [This article](https://medium.com/google-cloud/using-coredns-on-gke-3973598ab561) provides some help for GCP Kubernetes Engine, and guidance for AWS Elastic Kubernetes Service can be found [here](https://docs.aws.amazon.com/eks/latest/userguide/coredns.html).
25
+
5. Your cluster must be running CoreDNS instead of kube-dns, which may not be the case if you are using a managed Kubernetes service. [This article](https://medium.com/google-cloud/using-coredns-on-gke-3973598ab561) provides some help for GCP Kubernetes Engine, and guidance for AWS Elastic Kubernetes Service can be found [here](https://docs.aws.amazon.com/eks/latest/userguide/coredns.html).
26
26
27
27
## Installing
28
28
29
29
### Testing locally against a remote cluster
30
30
31
31
```bash
32
32
make run
33
-
```
33
+
```
34
34
This creates an ExternalService object to see the controller-manager creating managed resources in the remote cluster.
35
35
36
36
### Setting up CoreDNS plugin
@@ -132,9 +132,49 @@ spec:
132
132
# ensure your internal IP range is allowed here
133
133
# traffic to external IPs will not be allowed from this namespace.
134
134
# therefore, pods will have to use egress gateways
135
-
cidr: 10.0.0.0/8
135
+
cidr: 10.0.0.0/8
136
136
```
137
137
138
-
If you already have a default deny egress policy, the above won't be needed. You'll instead want to explicitly allow
138
+
If you already have a default deny egress policy, the above won't be needed. You'll instead want to explicitly allow
139
139
egress from your pods to all gateway pods. The ingress policies on gateway pods will ensure that only correct traffic is
140
140
allowed.
141
+
142
+
### Configuration
143
+
144
+
Global configuration of the operator is set using environment variables.
145
+
146
+
Node Selectors and Taint tolerations can be added to gateway pods to ensure pods
147
+
run on nodes that are permitted to access the internet. Example:
0 commit comments