Goal: Configure egress access control for specific workloads so they are allow to external DNS domain.
-
Implement DNS policy to allow the external endpoint access from a specific workload, e.g.
dev/centos.a. Apply a policy to allow access to
api.twilio.comendpoint using DNS rule.# deploy dns policy kubectl apply -f demo/dns-egress-control/dns-policy.yaml# test egress access to api.twilio.com kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://api.twilio.com 2>/dev/null | grep -i http' # test egress access to www.google.com kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://www.google.com 2>/dev/null | grep -i http'
Access to the
api.twilio.comendpoint should be allowed by the DNS policy and any other external endpoints likewww.google.comshould be denied.b. Modify the policy to include
*.google.comin dns policy and test egress access to www.google.com again.# test egress access to www.google.com again and it should be allowed. kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://www.google.com 2>/dev/null | grep -i http'
-
Edit the policy to use a
NetworkSetwith DNS domain instead of inline DNS rule.a. Apply a policy to allow access to
api.twilio.comendpoint using DNS policy.# deploy network set kubectl apply -f demo/dns-egress-control/netset.allowed-dns.yaml # deploy DNS policy using the network set kubectl apply -f demo/dns-egress-control/dns-policy.netset.yaml
# test egress access to api.twilio.com kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://api.twilio.com 2>/dev/null | grep -i http' # test egress access to www.google.com kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://www.google.com 2>/dev/null | grep -i http'
b. Modify the
NetworkSetto includewww.google.comin dns domain and test egress access to www.google.com again.
# test egress access to www.google.com again and it should be allowed. kubectl -n dev exec -t centos -- sh -c 'curl -m3 -skI https://www.google.com 2>/dev/null | grep -i http'
