Skip to main content

Traffic Control

This guide provides instructions for managing namespace access control to egress traffic using Istio sidecars and service entries (Outbound Traffic Control on Shakudo). Our UI allows you to grant full access, block access completely, or grant access to specific hosts. It also includes an air gap mode that blocks access to all egress traffic on all namespaces. The UI will create the necessary Istio objects to manage your traffic, the explanation is purely to show what happens in the backend.

Table of Contents

  1. Introduction
  2. Access Control Options
  3. Managing Access via UI
  4. Air Gap Mode
  5. Backend Automation
  6. Example Scenarios
  7. Conclusion

1. Introduction

Istio provides a robust solution for managing egress traffic control in a Kubernetes environment. This guide explains how to use our UI to manage namespace access control, including cluster air-gap mode, full access, no access, and host-specific access

2. Access Control Options

Air Gap Mode

Blocks accessing all external services on all namespaces

Full Access

Granting full access allows a namespace to communicate freely with external services without any restrictions.

No Access

Blocking access completely prevents a namespace from communicating with any external services.

Partial Access

Granting access to specific hosts allows a namespace to communicate only with specified external services.

3. Managing Access via UI

Granting Full Access

  1. Open the UI and navigate to Admin > Outbound Traffic Access
  2. Select the settings of the namespace you want to configure.
  3. Choose the "Full Access" option.
  4. Click "Save" to save the changes.

Blocking Access Completely

  1. Open the UI and navigate to Admin > Outbound Traffic Access
  2. Select the settings of the namespace you want to configure.
  3. Choose the "No Access" option.
  4. Click "Save" to save the changes.

Granting Access to Specific Hosts

  1. Open the UI and navigate to Admin > Outbound Traffic Access
  2. Select the settings of the namespace you want to configure.
  3. Choose the "Partial Access" option.
  4. Enter a comma-separated list of valid hosts (.ca, .com, example.com, my.example.com, *.my.example.com - Wildcard only is not allowed).
  5. Click "Save" to save the changes.

5. Air Gap Mode

Air Gap mode blocks access to all egress traffic on all namespaces. This mode is useful for environments that require complete isolation from external networks.

To enable Air Gap mode:

  1. Open the UI and navigate to the Outbound Traffic Access mode section.
  2. Enable Air Gap mode.
  3. Confirm your change and wait for it to be applied

6. Backend Automation

Our backend handles the creation of service entries and sidecars based on the UI selections. When a user selects an access control option, the backend will automatically create the necessary Istio configurations to enforce the desired access control.

7. Example Scenarios

Scenario 1: Granting Full Access

  • Namespace: namespace1
  • Action: Grant full access
  • Result: namespace1 can communicate with all external services.

Scenario 2: Blocking Access Completely

  • Namespace: namespace2
  • Action: Block access completely
  • Result: namespace2 cannot communicate with any external services.

Scenario 3: Granting Access to Specific Hosts

  • Namespace: namespace3
  • Action: Grant access to specific hosts (e.g., example.com, api.example.com)
  • Result: namespace3 can only communicate with example.com and api.example.com.

8. Conclusion

This guide provides detailed instructions for managing namespace access control to egress traffic on Istio using our UI. By following these steps, you can effectively control egress traffic in your cluster.