Skip to content

Install

Requirement

Egressgateway currently supports collaboration with Calico CNI and will support collaboration with more CNIs in the future. Below are the configuration methods for different CNIs:

Calico

Required settings chainInsertMode to Append, for example in the code, more reference calico docs:

apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
  name: default
spec:
  ipv6Support: false
  ipipMTU: 1400
  chainInsertMode: Append # (1)
  1. add this line

Install

Add helm repository

helm repo add egressgateway https://spidernet-io.github.io/egressgateway/
helm repo update

Install egressgateway

The following is a common chart setting option:

feature:
  enableIPv4: true
  enableIPv6: false # (1)
  tunnelIpv4Subnet: "192.200.0.1/16" # (2)
  tunnelIpv6Subnet: "fd01::21/112"   # (3)
  1. Required pod support IPv6 Stack
  2. IPv4 tunnel subnet
  3. IPv6 tunnel subnet
helm install egressgateway egressgateway/egressgateway \
  --values values.yaml \
  --wait --debug

kubectl get crd | grep egress

Create EgressGateway

Create an EgressGateway CR that can set a node as an egress gateway node through matchLabels.

apiVersion: egressgateway.spidernet.io/v1beta1
kind: EgressGateway
metadata:
  name: default
spec:
  clusterDefault: true
  ippools:
    ipv4:
      - "10.6.1.60-10.6.1.66" # (1)  
  nodeSelector:
    selector:
      matchLabels:
        kubernetes.io/hostname: workstation2 # (2)
  1. Egress address pool
  2. Change me, select a node in your cluster

Create Example App

Create a testing Pod to simulate an application that requires egress.

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: mock-app
  name: mock-app
  namespace: default
spec:
  containers:
   - image: nginx
     imagePullPolicy: IfNotPresent
     name: nginx
     resources: {}
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: workstation1 # (1)
  1. Change me, select a non-egress gateway node in your cluster

Create EgressPolicy

By creating an EgressPolicy CR, you can control which Pod accesses which address needs to go through the egress gateway.

apiVersion: egressgateway.spidernet.io/v1beta1
kind: EgressPolicy
metadata:
  name: mock-app
spec:
  appliedTo:
    podSelector:
      matchLabels:             # (1)
        app: mock-app
  destSubnet:
    - 10.6.1.92/32             # (2)
  1. Select Pods that need to perform Egress operations by setting matchLabels.
  2. By setting destSubnet, only matched Pods will perform Egress operations when accessing a specific subnet.

Now, traffic from mock-app accessing 10.6.1.92 will be forwarded through the egress gateway.

Test

We can see that the IP that the mock-app sees on the other side when it accesses the external service is the IP address of the EgressGateway.

kubectl exec -it mock-app bash
$ curl 10.6.1.92:8080
Remote IP: 10.6.1.60