Joshua Fox, DoiT International
Until recently, you could not control outgoing traffic to given Fully Qualified Domain Names (FQDN) using Kubernetes Network Policies. You could use ordinary firewalls, but these are defined by IP, not domain. Even network firewalls that recognize domains do not work in terms of Kubernetes, for example restricting the namespaces and labels which are allowed egress.
Cilium and Istio do provide this ability, but require the complexity of an additional network layer.
Just now, Google Kubernetes came out with a preview release FQDN-aware egress control in Kubernetes Network policies.
I will describe this and show how it fits into the effort now in progress in the Kubernetes Networking Special Interest Group to define FQDN egress control as a standard part of every compliant Kubernetes cluster.
Joshua Fox, DoIT International
Joshua Fox advises tech startups and growth companies about the cloud. Along with that, he writes open source, publishes technical articles, and speaks to cloud engineers as a Google Developer Expert.
His background includes a long career as a software architect in innovative technology companies.
He has a PhD from Harvard University and a BA in math from Brandeis.
author = {Joshua Fox},
title = {Level 7 Egress Control in Kubernetes: Current Solutions, Future Standards},
year = {2023},
address = {Dublin},
publisher = {USENIX Association},
month = oct
}
