Skip to main content

Outbound Traffic Access

Overview

The Outbound Traffic Access panel provides granular control over network egress (outbound traffic) from Kubernetes namespaces in the Shakudo cluster. This feature enables administrators to implement security policies by restricting which external hosts and services workloads can access, including a cluster-wide Air Gap Mode for complete network isolation.

Access & Location

  • Route: ?panel=outbound-traffic-access
  • Navigation: Network → Outbound Traffic Access
  • Access Requirements: dashboard-admin
  • Feature Flags: None

Key Capabilities

Cluster-Wide Air Gap Mode

Enable or disable Air Gap Mode across the entire cluster. When enabled, all namespaces are completely isolated from external networks, blocking all outbound traffic. This provides maximum security for sensitive environments but prevents access to external APIs, package repositories, and other internet resources.

Per-Namespace Traffic Control

Configure outbound traffic policies for individual namespaces with three granular access levels:

  • Full Access: Allow all outbound traffic from the namespace
  • No Access: Block all outbound traffic (complete isolation)
  • Partial Access: Allow traffic only to specific whitelisted hosts

Host Whitelisting

Define specific external hosts that workloads in a namespace can access. Supports domain patterns including wildcards (e.g., *.example.com, api.service.com).

User Interface

Main View

The panel displays a grid of namespace cards, with each card showing:

  • Namespace name
  • Current access status (indicated by shield icon):
    • Green shield (solid): Namespace has no outbound access and is protected
    • Green shield (outlined): Namespace has partial access (specific hosts whitelisted)
    • No icon: Namespace has full outbound access
  • Settings button to configure namespace-specific policies

The view includes:

  • Air Gap Mode toggle (top right): Global switch to enable/disable cluster-wide traffic blocking
  • Search field: Filter namespaces by name
  • Backdrop overlay: When Air Gap Mode is enabled or updating, an informational overlay appears over all namespace cards

Dialogs & Modals

  1. Air Gap Mode Confirmation Dialog

    • Purpose: Confirm enabling or disabling cluster-wide Air Gap Mode
    • Actions: Confirm or Cancel
    • Warning: Explains that enabling blocks all outbound traffic, disabling restores access

  2. Namespace Settings Dialog

    • Purpose: Configure outbound traffic policy for a specific namespace
    • Fields:
      • Three access level options (radio buttons):
        • Full Access: Allow all outbound traffic
        • No Access: Allow no outbound traffic
        • Partial Access: Allow only some hosts
      • Host(s) field: Comma-separated list of allowed hosts (visible only when Partial Access is selected)
    • Actions: Save or Close
    • Validation: Hosts must match the pattern *.domain.com or subdomain.domain.com

Tables & Data Grids

The panel uses a responsive grid layout (not a table) to display namespace cards:

  • Grid adapts to screen size: 6 columns (xs), 4 columns (sm), 2 columns (md)
  • Each card is clickable to open settings
  • Cards are disabled when Air Gap Mode is active

Technical Details

GraphQL Operations

Queries:

  • getNamespaces - Retrieves all user-accessible namespaces (excludes system namespaces like istio-system, kube-system, hyperplane-core, etc.)
  • isAirGapModeOn - Checks if cluster-wide Air Gap Mode is currently enabled
  • namespace($namespace) - Fetches outbound egress control details for a specific namespace, including:
    • allowGlobalOutboundAccess: Boolean indicating if namespace has full access
    • allowedHosts: Array of whitelisted host patterns
    • outboundTrafficPolicyActive: Boolean indicating if traffic policy is active

Mutations:

  • toggleAirGapMode($enable) - Enables or disables cluster-wide Air Gap Mode
  • enableNamespaceBlanketAccess($namespace) - Grants full outbound access to a namespace
  • disableNamespaceBlanketAccess($namespace) - Removes all outbound access from a namespace
  • setNamespaceAllowedHosts($namespace, $hosts) - Sets specific whitelisted hosts for a namespace

Subscriptions: None

Component Structure

  • Main Component: components/TrafficControl/Panel.tsx
  • Namespace Grid: components/TrafficControl/Namespaces.tsx
  • Namespace Card: components/TrafficControl/Card.tsx
  • Air Gap Mode Toggle: components/TrafficControl/AirGapModeSwitch.tsx
  • Settings Dialog: components/TrafficControl/NamespaceSettings.tsx

State Management

  • Uses Jotai atoms for global state:
    • AirGapModeOnAtom: Tracks whether Air Gap Mode is enabled
    • AirGapModeUpdatingAtom: Tracks whether Air Gap Mode is currently updating
  • Apollo Client for GraphQL data fetching and caching
  • Local component state for dialog open/close and form inputs

Common Workflows

Enable Air Gap Mode for Maximum Security

  1. Navigate to Network → Outbound Traffic Access
  2. Click the "Air Gap Mode" toggle switch in the top right
  3. Review the confirmation dialog warning about blocking all outbound traffic
  4. Click "Confirm" to enable
  5. Wait for the update to complete (backdrop overlay will show progress)
  6. All namespace cards will be disabled and overlaid with Air Gap Mode message

Configure Namespace for Partial Access

  1. Locate the target namespace card in the grid (use search if needed)
  2. Click the "Settings" button on the namespace card
  3. In the dialog, select "Partial Access"
  4. Enter comma-separated host patterns in the hosts field (e.g., api.github.com, *.npmjs.org)
  5. Click "Save"
  6. The namespace card will display a green outlined shield icon indicating partial access

Block All Traffic from a Namespace

  1. Find the namespace card and click "Settings"
  2. Select "No Access" option
  3. Click "Save"
  4. The namespace card will display a solid green shield icon indicating it's protected

Restore Full Access to a Namespace

  1. Open the namespace's Settings dialog
  2. Select "Full Access" option
  3. Click "Save"
  4. The shield icon will disappear, indicating unrestricted access
  • Stack Components Panel - Components deployed in namespaces are affected by traffic policies
  • Sessions Panel - Development environments run in namespaces and may need external access
  • Jobs Panel - Pipeline jobs run in namespaces and may require access to external data sources

Notes & Tips

Important Considerations

  • Air Gap Mode overrides all namespace settings: When enabled, even namespaces configured for full access will be blocked
  • System namespaces are excluded: Core infrastructure namespaces (istio-system, kube-system, hyperplane-core, etc.) are not shown or affected by these controls
  • Changes take effect immediately: There is no grace period when enabling restrictions
  • Validation is strict: Host patterns must be valid domains with optional wildcard prefixes (e.g., *.example.com is valid, example.* is not)

Best Practices

  • Start with least privilege: Configure namespaces with No Access by default, then add specific hosts as needed
  • Use wildcards carefully: *.domain.com allows access to all subdomains, which may be broader than needed
  • Test before production: Enable Air Gap Mode in a test environment first to identify external dependencies
  • Document exceptions: Keep a record of which namespaces need external access and why
  • Regular audits: Periodically review namespace access settings to remove unnecessary permissions

Troubleshooting

  • Workloads failing after enabling restrictions: Check logs for connection errors, then add required hosts to the allowed list
  • Unable to save settings: Ensure host patterns are valid domain names (no IP addresses, must include TLD)
  • Changes not taking effect: Air Gap Mode may be enabled at the cluster level, blocking all traffic regardless of namespace settings
  • Settings button disabled: Air Gap Mode is currently enabled or updating; wait for it to complete or disable Air Gap Mode first
Last updated on by chyuen-devsentient