Skip to content

CDE Egress Gateway

Introduction

To control outbound traffic from pods in the CDE namespace, we implemented an Istio Waypoint Proxy that functions as an egress gateway. This solution provides enhanced security by preventing unauthorized data exfiltration from the cluster through controlled egress traffic management.

How it works

Our main namespaces, including the CDE namespace, are part of an Istio ambient mesh (see this doc for a quick refresher). Istio can control traffic routing for all pods that are part of the ambient mesh.

Istio Service Entry

When creating an Istio Service Entry, we define the list of destination hosts and ports that Istio will route traffic to. In our case, we configure the routing destination to be the egress gateway.

Note: Currently, Istio ambient mesh does not support limiting Service Entry propagation to a specific namespace scope. This means that Service Entries are applied globally across all namespaces in the mesh. To prevent pods in non-CDE namespaces from routing their traffic through the CDE egress gateway, we must create placeholder Service Entries for each namespace that doesn't require the egress gateway functionality.

Network policies

As described above, Istio can only reroute traffic to destinations we configure - it cannot block unwanted traffic by itself.
To achieve proper traffic blocking, we use Kubernetes network policies. Our network policies are configured as follows:
- Block all HTTPS traffic to external endpoints from CDE pods
- Allow traffic from CDE pods to the egress gateway pod
- Allow HTTPS traffic to external endpoints from the egress gateway pod

Diagram

graph TD;
    subgraph "CDE Namespace"
        A("Pod A")
        B("Pod B")
        eg("Egress Gateway Pod")

        se("Service Entry using gateway")
    end

    ext["External Authorized Host"]

    subgraph "non CDE Namespace"
        C("Pod C")

        non-cde-se("Service Entry Placeholder without gateway")
    end

    A -- traffic at destination to an external endpoint part of the Service Entry list--> eg --> ext
    A -- traffic at destination to internal endpoint --> B
    C --> ext

How to update the list of allowed hosts in CDE namespace

  1. Update the list defined in platform-infrastructure GitHub repo: link for prod
  2. Deploy the changes by syncing rootapp-namespaces Argo CD app.

Resources