Support k8s egress policies

[awh]

From @awh on September 21, 2016 9:6

The k8s network SIG is developing an egress policy specification which we should support.

Copied from original issue: weaveworks-experiments/weave-npc#9

[shaun-willows]

Having egress policies would be very beneficial to my organisation. We are trying to restrict access from pods to an ExternalName Services (e.g. an AWS RDS instance) as noted in this StackOverflow post.

Is there any ballpark timescale for when this might be implemented? It does seem as if the discussion regarding egress policies has stalled, and the proposal document has not been updated in a while.

Project Calico provides egress policy via their own policy extensions. Could Weave to do anything similar?

For reference, this is the post on the K8S slack community that lead me to this issue.

[brb]

@iblocks-shaun Thanks for the info.

We will take into consideration the egress policies during the next release planning which should happen during the second half of March.

[Cryptophobia]

@brb : Any update on this issue/feature?

We are also interested in specifying egress policies and restricting access from pods to ExternalName Services like AWS RDS being a big need right now for us.

[brb]

@Cryptophobia Sorry, but the issue hasn't been prioritized yet. However, contributions are more than welcome.

[Cryptophobia]

@brb Can anyone point me to what sections of the code need to be updated for this to be added as a feature?

[bboreham]

The current Network Policy Controller is under https://github.com/weaveworks/weave/tree/master/npc, with main program at https://github.com/weaveworks/weave/tree/master/prog/weave-npc

Note that there's no way in Kubernetes to define an egress policy, so that would need to be stored in an annotation or something else free-form until the official version is agreed and included.

[brb]

Also, it's worth mentioning the design doc https://github.com/weaveworks/weave/blob/master/docs/weavenpc-design.md

[RRAlex]

Since 1.8 release, it seems the K8s documentation has egress examples:

kubernetes/enhancements#366
https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource

... so I'm just posting this here, in case that's news to some, to indicate that K8s is eventually moving toward the egress support (which seems to be limited to design principles for now?).

[bboreham]

Thanks @RRAlex, the api definitions for egress policies were added as beta in Kubernetes 1.8; see kubernetes/enhancements#367

This remains on the todo list for Weave Net.

[mattgarkusha]

We are very interested in this. Would love to see this done soon! 👍