Careful!

You are browsing documentation for a version of Kuma that is not the latest release.

Looking for even older versions? Learn more.

Zone Egress

ZoneEgress proxy is used when it is required to isolate outgoing traffic (to services in other zones or external services in the local zone). and you want to achieve isolation of outgoing traffic (to services in other zones or external services in the local zone), you can use ZoneEgress proxy.

This proxy is not attached to any particular workload. In multi-zone the proxy is bound to a specific zone. Zone Egress can proxy the traffic between all meshes, so we need only one deployment for every zone.

When Zone Egress is present:

  • In multi-zone, all requests that are sent from local data plane proxies to other zones will be directed through the local Zone Egress instance, which then will direct the traffic to the proper instance of the Zone Ingress.
  • All requests that are sent from local data plane proxies to external services available within the Zone will be directed through the local Zone Egress instance.

Currently ZoneEgress is a purely optional component. In the future it will become compulsory for using external services.

The ZoneEgress entity includes a few sections:

  • type: must be ZoneEgress.
  • name: this is the name of the ZoneEgress instance, and it must be unique for any given zone.
  • networking: contains networking parameters of the Zone Egress
    • address: the address of the network interface Zone Egress is listening on.
    • port: is a port that Zone Egress is listening on
    • admin: determines parameters related to Envoy Admin API
      • port: the port that Envoy Admin API will listen to
  • zone [auto-generated on Kuma CP] : zone where Zone Egress belongs to

The recommended way to deploy a ZoneEgress proxy in Kubernetes is to use kumactl, or the Helm charts as specified in multi-zone. It works as a separate deployment of a single-container pod.

Standalone:

kumactl install control-plane \
  --egress-enabled \
  [...] | kubectl apply -f -

Multi-zone:

kumactl install control-plane \
  --mode=zone \
  --zone=<my-zone> \
  --kds-global-address grpcs://`<global-kds-address>` \
  --egress-enabled \
  [...] | kubectl apply -f -

A ZoneEgress deployment can be scaled horizontally.

Configuration

mTLS is required to enable ZoneEgress. In addition, there’s a configuration in the Mesh policy to route traffic through the ZoneEgress

echo "apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  routing:
    zoneEgress: true
  mtls: # mTLS is required to use ZoneEgress
    [...]" | kubectl apply -f -

This configuration will force cross zone communication to go through ZoneEgress. If enabled but no ZoneEgress is available the communication will fail.

Last Updated: 11/4/2022, 19:20:08 PM