|
| 1 | +# GEP 1856: Egress Route |
| 2 | +Issue: [#1856](https://github.com/kubernetes-sigs/gateway-api/issues/1856) |
| 3 | + |
| 4 | +Status: Provisional|Implementable|Experimental|Standard|Deferred|Rejected|Withdrawn|Replaced |
| 5 | + |
| 6 | +## TLDR |
| 7 | +Egress traffic is any traffic that originates inside a Kubernetes cluster that is bound for a resource outside of the cluster. Egress Traffic in Kubernetes is a common use case for Service Providers to provision outbound traffic that requires a Gateway resource to provide Source Network Address Translation (SNAT) capabilities. |
| 8 | + |
| 9 | +We propose a Gateway API Route allowing us to describe the path for an application to reach an endpoint outside of the cluster. The egress path is protocol agnostic and the Gateway can be connected to multiple external networks. |
| 10 | + |
| 11 | +## Goals |
| 12 | +- Provide a standardize configuration for provisioning egress for any protocol through a single Gateway. |
| 13 | +- Egress Gateways can be connected to different external networks. |
| 14 | +- Provision for using SNAT to allow for identification of cloud-native network functions (CNFs) via engineered IP assignments for security purposes. |
| 15 | +- Allow CNFs to be addressed by their external IPs regardless of whether they are being access from within the cluster or from outside the cluster. |
| 16 | + |
| 17 | +## Non-Goals |
| 18 | +Security functionality should be kept outside this "route". We can have these be referenced as appropriate. |
| 19 | + |
| 20 | +IP address management for SNATing will not duplicate non-trivial IPAM (IP address management) capabilities, only simple capability will be provided here. |
| 21 | + |
| 22 | +Potential future use cases such as: |
| 23 | + |
| 24 | +- Provision for using SNAT to allow for IPv4 to IPv6 translation on the way out of the cluster. |
| 25 | +- Allow CNFs using peering protocols like Diameter to function by allowing connections to originate in either direction. |
| 26 | +- Allow attaching policies (specifics to come later). |
| 27 | + |
| 28 | +## Introduction |
| 29 | +There are a number of scenarios where it is very useful to control and direct access to multiple external network domains. This is explained, in some detail for Telco use cases in the linked document, below, but it is also true for other scenarios – for example, any time you have an isolated network (vlan, vrf, etc.) that should be accessed by certain apps on not others. An example might be a front-end server that is exposed to the Internet versus a back-end database that is isolated. |
| 30 | + |
| 31 | +Telco use cases: https://docs.google.com/document/d/13xAF_pqH2bV8x4MfXWde47esCdVwow1-nig6iy_rafA/edit |
| 32 | + |
| 33 | +When there are multiple external networks involved, there needs to be a model for how to control access to the different networks. The suggested model in this GEP is to allow the Infrastructure Provider to define what networks are available for a Gateway Class. Each Gateway instantiated would then connect to a single one of the networks, with those Gateways allowing routes to/from defined K8S namespaces. This allows the Cluster Operator to control who accesses each of the external networks. In the model, the application developers need only to request routes to/from the right Gateways. |
| 34 | + |
| 35 | +``` |
| 36 | +Diagram: EgressRoute to POD |
| 37 | +
|
| 38 | + ------------------- |
| 39 | +Infrastructure Provider -------> | Gateway Class | <-- Configure: Available Networks |
| 40 | + ------------------- |
| 41 | + | |
| 42 | + ------------------ |
| 43 | +Cluster Operator -------> | Gateway | <-- Select: Single Network |
| 44 | + ------------------ |
| 45 | + / \ |
| 46 | +Application Developer -------> / ------------------ |
| 47 | + / | EgressRoute | |
| 48 | + / ------------------ |
| 49 | + ------------------ \ |
| 50 | + | HTTPROUTE | ------------------ |
| 51 | + ------------------ | POD | |
| 52 | + / ------------------ |
| 53 | + ------------------ |
| 54 | + | SERVICE | |
| 55 | + ------------------ |
| 56 | +``` |
| 57 | + |
| 58 | +Beyond connecting to multiple external network domains, it is very important in many scenarios (specifically including Telco) to be able to identify individual applications egressing a cluster, based on the source IP. In scenarios where firewalls and access control lists (ACLs) are in use, it is standard to control access based on source/destination IP addresses. For those firewall policies to be meaningful, it is vital for application traffic to be individually identifiable, based on source IP. Because of this, controlling the source IP (SNAT) on egressing traffic is a key use case. |
| 59 | + |
| 60 | +## API |
| 61 | +(... details, can point to PR with changes) |
| 62 | + |
| 63 | +## Alternatives |
| 64 | +(List other design alternatives and why we did not go in that direction) |
| 65 | + |
| 66 | +## References |
| 67 | +(Add any additional document links. Again, we should try to avoid too much content not in version control to avoid broken links) |
0 commit comments