CRD fields in an egress traffic policy - Alibaba Cloud Service Mesh

Service Mesh (ASM) instances of version 1.16.4 and later allow you to use CustomResourceDefinition (CRD) fields to define an egress traffic policy. An egress traffic policy defines how an egress gateway manages egress traffic. By using a combination of sidecar proxies and authorization policies, you can control egress traffic in a comprehensive manner. This topic provides YAML code examples and describes the CRD fields in an egress traffic policy.

YAML code examples

Example 1: Allow a service to access a specific external service through an egress gateway

The sleep-a service in the mytest namespace is allowed to access http://www.httpbin.org over port 80 of the egress gateway named egressgateway-a.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
  name: egress-by-egressgateway-a  # This value corresponds to the name of the egress gateway. 
  namespace: istio-egress                # This value is fixed to istio-egress. 
spec:
  byEgressGateway:
    name: egressgateway-a
  egressRules:
  - from:
    - namespace: mytest
      workloadSelector:
        app: sleep-a
    to:
    - name: httpbin-service-http
      hosts:
      - www.httpbin.org  # The IP addresses of multiple domain names after Domain Name System (DNS) resolution must be the same. 
      - httpbin.org      # The IP addresses of multiple domain names after DNS resolution must be the same. 
      port:
        name: http
        number: 80
        protocol: HTTP
      byEgressGateway:
        port: 80        # Traffic path: sidecar proxy > gateway (port 80) > httpbin.org service (port 80)

Example 2: Allow some services to access specific external services through an egress gateway and upgrade HTTP requests to HTTPS requests

The sleep-a service in the mytest namespace is allowed to access http://www.httpbin.org over port 80 of the egress gateway named egressgateway-a. The HTTP requests that are sent to port 80 of the egress gateway are upgraded to HTTPS requests by the egress gateway.
The sleep-a service in the mytest namespace is allowed to access https://www.httpbin.org over port 444 of the egress gateway named egressgateway-a.
The sleep-b service in the mytest namespace is allowed to access https://www.aliyun.com over port 445 of the egress gateway named egressgateway-a.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
  name: egress-by-egressgateway-a  # This value corresponds to the name of the egress gateway. 
  namespace: istio-egress                # This value is fixed to istio-egress. 
spec:
  byEgressGateway:
    name: egressgateway-a
  egressRules:
  - from:
     - namespace: mytest
       workloadSelector:
          app: sleep-a
    to:
    - name: httpbin-service-http
      hosts:
      - www.httpbin.org  # The IP addresses of multiple domain names after DNS resolution must be the same. 
      - httpbin.org      # The IP addresses of multiple domain names after DNS resolution must be the same. 
      port:
        name: http
        number: 80
        protocol: HTTP
      byEgressGateway:
        port: 80        # Traffic path: sidecar proxy > gateway (port 80) > httpbin.org service (port 80)
      httpsUpgrade:
        enabled: true   # If this value is set to false, the value of the port parameter under httpsUpgrade does not take effect. 
        port: 443       # Traffic path: sidecar proxy > gateway (port 80) > httpbin.org service (port 443)
    - name: httpbin-service-https
      hosts:
      - www.httpbin.org
      - httpbin.org
      port:
        name: https
        number: 443
        protocol: HTTPS
      byEgressGateway:
        port: 444
  - from:
     - namespace: mytest
       workloadSelector:
          app: sleep-b
    to:
    - name: aliyun-service-https
      hosts:
      - www.aliyun.com
      port:
        name: https
        number: 443
        protocol: HTTPS
      byEgressGateway:
        port: 445

CRD fields

Spec

Field	Type	Required	Description
byEgressGateway	ByEgressGateway	Yes	Indicates that an egress gateway is used to control access to external services.
egressRules	EgressRule[]	Yes	Egress traffic rules.

ByEgressGateway

Field	Type	Required	Description
name	string	Yes	The egress gateway through which external services are accessed. We recommend that the gateway name do not exceed 32 characters in length.
port	uint32	No	The port of the egress gateway over which traffic passes.

EgressRule

Field	Type	Required	Description
name	string	No	The name of the rule.
from	From[]	Yes	The source of the egress traffic, which is the request initiator.
to	To[]	Yes	The destination of the egress traffic, which is the external destination service of the requests.

From

Field	Type	Required	Description
namespace	string	Yes	The namespace where the service that initiates the requests resides.
workloadSelector	map[string]string	No	The selector that filters the access source service of the egress traffic by using a label.

To

Field	Type	Required	Description
name	string	Yes	The name of the external service.
hosts	string[]	Yes	The domain name of the external service. Multiple domain names can be configured, but they must point to the same site.
port	Port	Yes	The port of the external service.
byEgressGateway	ByEgressGateway	Yes	Indicates that traffic flows through a port on the egress gateway to the external service.
httpsUpgrade	HttpsUpgrade	No	Specifies whether the egress gateway upgrades the HTTP requests that are initiated by a service to HTTPS requests.

HttpsUpgrade

Field	Type	Required	Description
enabled	bool	Yes	Specifies whether the HTTP requests are upgraded to HTTPS requests.
port	uint32	Yes	The HTTPS port of the external service.

References

Use an egress traffic policy to manage egress traffic