With the addition of EgressRule. The EgressRule can specify NetworkPolicyPeers.
Parent: #1489
Currently, Cilium only supports ingress label-based policy. This is because the source endpoint writes its security identity into the packets that it sends to its destination. Since the security identity is an encoding of the set of labels of an endpoint, upon ingress, all the datapath has to do when it receives a packet from an endpoint is check the security identity in the packet against the set of security identities from which traffic is allowed to the destination endpoint. However, upon egress, the cilium-agent on the host sending out packets does not know the set of labels corresponding to the destination endpoint. Consequently, we need a way to determine whether the endpoint to which traffic is being sent from one endpoint is allowed from within the agent based on available metadata in the packet, data from the key-value store, etc.
This ticket requires changes in multiple areas of Cilium, specifically:
With the addition of
EgressRule. TheEgressRulecan specifyNetworkPolicyPeers.Parent: #1489
Currently, Cilium only supports ingress label-based policy. This is because the source endpoint writes its security identity into the packets that it sends to its destination. Since the security identity is an encoding of the set of labels of an endpoint, upon ingress, all the datapath has to do when it receives a packet from an endpoint is check the security identity in the packet against the set of security identities from which traffic is allowed to the destination endpoint. However, upon egress, the cilium-agent on the host sending out packets does not know the set of labels corresponding to the destination endpoint. Consequently, we need a way to determine whether the endpoint to which traffic is being sent from one endpoint is allowed from within the agent based on available metadata in the packet, data from the key-value store, etc.
This ticket requires changes in multiple areas of Cilium, specifically: