ZoneEgress proxy is used when it is required to isolate outgoing traffic (to services in other
zones or external services in the local zone).
and you want to achieve isolation of outgoing traffic (to services in other
zones or external services in the local zone),
you can use
This proxy is not attached to any particular workload. In multi-zone the proxy is bound to a specific zone. Zone Egress can proxy the traffic between all meshes, so we need only one deployment for every zone.
When Zone Egress is present:
- In multi-zone, all requests that are sent from local data plane proxies to other zones will be directed through the local Zone Egress instance, which then will direct the traffic to the proper instance of the Zone Ingress.
- All requests that are sent from local data plane proxies to external services available within the Zone will be directed through the local Zone Egress instance.
ZoneEgress is a purely optional component.
In the future it will become compulsory for using external services.
ZoneEgress entity includes a few sections:
type: must be
name: this is the name of the
ZoneEgressinstance, and it must be unique for any given
networking: contains networking parameters of the Zone Egress
address: the address of the network interface Zone Egress is listening on.
port: is a port that Zone Egress is listening on
admin: determines parameters related to Envoy Admin API
port: the port that Envoy Admin API will listen to
zone[auto-generated on Kuma CP] : zone where Zone Egress belongs to
The recommended way to deploy a
ZoneEgress proxy in Kubernetes is to use
kumactl, or the Helm charts as specified in multi-zone.
It works as a separate deployment of a single-container pod.
kumactl install control-plane \ --egress-enabled \ [...] | kubectl apply -f -
kumactl install control-plane \ --mode=zone \ --zone=<my-zone> \ --kds-global-address grpcs://`<global-kds-address>` \ --egress-enabled \ [...] | kubectl apply -f -
ZoneEgress deployment can be scaled horizontally.
mTLS is required to enable
ZoneEgress. In addition, there’s a configuration in the
Mesh policy to route traffic through the
echo "apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: routing: zoneEgress: true mtls: # mTLS is required to use ZoneEgress [...]" | kubectl apply -f -
This configuration will force cross zone communication to go through
ZoneEgress. If enabled but no
ZoneEgress is available the communication will fail.