Egress gateway policy
An EgressGatewayPolicy resource (EgressGatewayPolicy) represents a way to select
different egress gateways or skip one for different destinations.
Rules in an Egress EgressGatewayPolicy are checked in Longest Prefix Match(LPM) fashion like routers. As such it is not valid to use the exact destination in two rules.
In order for an EgressGatewayPolicy to be used, its name must be added
to a pod or namespace by using egress.projectcalico.org/egressGatewayPolicy annotation.
Sample YAML
apiVersion: projectcalico.org/v3
kind: EgressGatewayPolicy
metadata:
name: my-egwpolicy
spec:
rules:
- destination:
cidr: 10.0.0.0/8
description: "Local: no gateway"
- destination:
cidr: 11.0.0.0/8
description: "Gateway to on prem"
gateway:
namespaceSelector: "projectcalico.org/name == 'default'"
selector: "egress-code == 'blue'"
maxNextHops: 2
- description: "Gateway to internet"
gateway:
namespaceSelector: "projectcalico.org/name == 'default'"
selector: "egress-code == 'red'"
gatewayPreference: PreferNodeLocal
Egress gateway policy definition
Metadata
| Field | Description | Accepted Values | Schema |
|---|---|---|---|
| name | Unique name to describe this resource instance. Must be specified. | Alphanumeric string with optional ., _, or -. | string |
Spec
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| rules | List of egress gateway policies | Egress Gateway Policy Rule |
Egress gateway policy rule
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| description | A description of rule | string | ||
| destination | CIDR representing a destination | destination | ||
| gateway | egress gateway to be used for a destination | gateway | ||
| gatewayPreference | Hints about egress gateway selection | None for using all available egress gateway replicas from the selected deployment, or PreferNodeLocal to use only egress gateway replicas on the same local node as the client pod or namespace if available, otherwise fall back to the default behaviour. | 'None' |
Destination
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| cidr | CIDR of destination network | string |
Egress gateway
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| selector | selector to choose an egress gateway deployment | string | ||
| namespaceSelector | name space of egress gateway deployment | string | ||
| maxNextHops | Specifies the maximum number of egress gateway replicas from the selected deployment that a pod should depend on. Replicas will be chosen in a manner that attempts to balance load across the whole egress gateway replicaset. If unset, or set to "0", egress traffic will behave in the default manner (load balanced over all available gateways). | string |
Supported operations
| Datastore type | Create/Delete | Update | Get/List | Notes |
|---|---|---|---|---|
| Kubernetes API server | Yes | Yes | Yes |