Egress support

[valerauko]

Feature Request

Egress support. Some means to monitor and control outgoing traffic.

Proposal

I don't know what's an ideal way to handle this.

Background

Many of my services regularly communicate with external services ad-hoc. Meaning I can't know beforehand what external services may appear as servers join and leave the network. (So I don't think ExternalServices as proposed by #622 would solve this)

Workarounds

I log outgoing requests at the application level.

[SantoDE]

Hello @valerauko,

thanks for your interest in the project.

I'm not sure Maesh can handle that request tough. As we're non invassive, we don't have control over all outgoing connections.

We'll keep the issue tough, let's see where we end :)

[valerauko]

I understand that. I was thinking of blocking all non-maesh traffic using k8s network policies. It'd be nice if there was a way to pass egress traffic through maesh.

[devopstales]

@SantoDE Any update on this ?

[ollytheninja]

Old issue but I think still relevant. As far as I'm aware, at the moment the only "mature" solution for cluster-native egress management is Istio's Egress Gateway.
From a security perspective, being able to create domain (rather than IP) level allow-lists for resources / APIs an application needs to access on the internet is a beautiful thing.
Just as in the Istio instance, it would not be up to the service mesh to ensure traffic goes through the mesh proxy - that would be for network policies to handle. The mesh is only responsible for enforcing policy on requests that do come through it.

Important to the original issue is the ability to monitor external traffic and then have the ability to create specific allow or deny rules.

You may for example monitor the traffic on a test application and use that to explicitly allow-list in production.