EgressGatewayPolicy
Scope: Cluster
Version: v1alpha1
Interface for configuring policies to redirect application traffic to specific egress gateways described through the EgressGateway interface.
- objectspec
Required value
- array of stringsspec.destinationCIDRs
Network requests towards these subnets will be routed through the egress gateway.
This feature is available in enterprise edition only.
- stringspec.egressGatewayName
Required value
The name of the EgressGateway resource that describes the egress gateway for handling traffic.
This feature is available in enterprise edition only.
- array of stringsspec.excludedCIDRs
Network ranges that are required to be excluded from the ranges described in
destinationCIDRs. Note that you do not need to exclude the special cluster ranges (podSubnetCIDRandserviceSubnetCIDR).This feature is available in enterprise edition only.
- array of objectsspec.selectors
Application Pod Selectors. Their traffic will be routed through the appropriate egress gateway. For namespase designation use the
io.kubernetes.pod.namespacepseudo-label.This feature is available in enterprise edition only.
- objectspec.selectors.podSelector
Required value
A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
This feature is available in enterprise edition only.
- array of objectsspec.selectors.podSelector.matchExpressions
matchExpressions is a list of label selector requirements. The requirements are ANDed.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
This feature is available in enterprise edition only.
- stringspec.selectors.podSelector.matchExpressions.key
Required value
key is the label key that the selector applies to.
This feature is available in enterprise edition only.
- stringspec.selectors.podSelector.matchExpressions.operator
Required value
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
This feature is available in enterprise edition only.
- array of stringsspec.selectors.podSelector.matchExpressions.values
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
This feature is available in enterprise edition only.
- objectspec.selectors.podSelector.matchLabels
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This feature is available in enterprise edition only.
EgressGateway
Scope: Cluster
Version: v1alpha1
Interface for configuring a fault-tolerant egress gateway based on a group of nodes.
The configured egress gateways can be used in EgressGatewayPolicy interface to configure egress gateway for application Pods.
- objectspec
- objectspec.nodeSelector
The selector for a group of nodes that will transfer network requests to external services. Among these nodes, eligible nodes will be detected and one of them will be assigned as the active one. Signs of an eligible node:
- The node is in Ready state.
- Node is not cordoned.
- The cilium-agent on the node is in the Ready state.
Different EgressGateways can use common nodes for operation, and active nodes will be selected independently for each EgressGateway, thus distributing the load between them.
This feature is available in enterprise edition only.
- objectspec.sourceIP
- stringspec.sourceIP.mode
Required value
A method for determining the source IP address to be assigned to requests through this gateway.
Possible options:
-
PrimaryIPFromEgressGatewayNodeInterface— the primary IP address on the public network interface of the node will be used as the source IP address.Particularities:
- When the active node goes down and a new node is assigned, the outgoing IP address will change.
- The network subsystem on all egress nodes must be configured in advance:
- the public interfaces must have the same name (eth1, for example),
- all necessary routes for access to all external public services must be configured.
-
VirtualIPAddress— explicitly specify the outgoing IP address.Particularities:
- If the active node goes down, the outgoing IP address will not change.
- The network subsystem on all egress nodes must be configured in advance:
- all necessary routes for access to all external public services must be configured,
- the public interface must be prepared to automatically configure a virtual IP as a secondary IP address (if an egress node is designated as active, the address will not appear in the IP list on the public interface, but the node will emulate it with ARP-responses)
This feature is available in enterprise edition only.
Allowed values:
VirtualIPAddress,PrimaryIPFromEgressGatewayNodeInterface -
- objectspec.sourceIP.primaryIPFromEgressGatewayNodeInterface
- stringspec.sourceIP.primaryIPFromEgressGatewayNodeInterface.interfaceName
The interface name on the egress nodes through which external requests are processed.
This feature is available in enterprise edition only.
- objectspec.sourceIP.virtualIPAddress
- stringspec.sourceIP.virtualIPAddress.ip
The virtual source IP address to be assigned to outgoing requests through the egress gateway.
This feature is available in enterprise edition only.