Skip to content

f5devcentral/container-egress-service

Repository files navigation

CES

standard-readme compliant Action Build Status Docker pull Issues Stars Go License

CES is a solution. It is used to help users manage the outgoing traffic of k8s pod/container better. It solves the challenge of outgoing traffic policy control in high dynamic IP scenarios in k8s native way, and provides a wealth of outgoing control capability. And through the hierarchical design, it solves the multi-role coordination problem among enterprise security, network, platform, and application operation departments.

Table of Contents

Background

Kubernetes is piloting projects transition to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. There are 2 challenges here. One is technology, how enterprise security devices to work in high dynamic IP environment. This will introduces additional complexity and risk to traditional process. The second one is the blurry work boundary between enterprise security team, network team, platform team and application team. Security is not the responsibility of one team, it is shared. Security team/network team, platform and application team all should get its role and benefit from this shared mode.

CES is a solution help customers to resolve the above 2 challenges. It provides k8s native way to k8s egress traffic policy tuning. Working with F5 AFM.

By running CES controller in k8s, it will automatcially create policy rules into F5 AFM. No matter IP change or scaled.

By scoped policy designment, Security/network team, platform team, application team all can participate into the policy setting. Policy management can be delegated or centralized, follow container platform's RBAC.

scoped CRD

Install

  1. Download the installation script
wget https://raw.githubusercontent.com/f5devcentral/container-egress-service/master/dist/install.sh
  1. Edit the install.sh script, edit the following variable values according to the actual environment. For detail, check the wiki

Usage

  • Please check the Wiki for different usages.

  • Check Youtube or China Bilibili for video demos. Click here.

Building

Docker image:

#GO_VERSION = 1.16
git clone https://github.com/f5devcentral/container-egress-service.git
cd container-egress-service
make release

Challenges solved

  • High-frequency changes in outbound traffic caused by container IP dynamics
  • Different role groups have different requirements for the scope setting of the policy, and the policy needs to match the role in multiple dimensions
  • Dynamic bandwidth limit requirements for outbound traffic
  • Protocol in-depth security inspection requirements
  • Advanced requirements for flow programmable based on access control events
  • Visualization requirements for outbound traffic

Capabilities

  • Dynamic IP ACL control with Cluster/Pod/NS granularity
  • Cluster/Pod/NS granular FQDN ACL control
  • Time-based access control
  • Matched flow event trigger and programmable
  • Matched traffic redirection
  • Protocol security and compliance testing
  • IP intelligence
  • Traffic matching log
  • Traffic matching visualization report
  • Protocol detection visual report
  • TCP/IP Errors report
  • NAT control and logging
  • Data flow visualization tracking
  • Visual simulation of access rules
  • Transparent detection mode
  • High-speed log outgoing

Documents

Check Release notes.

Check the Wiki first.

Support

For support, please open a GitHub issue. Note, the code in this repository is community supported and is not supported by F5. For a complete list of supported projects please reference SUPPORT.md.

Community Code of Conduct

Please refer to the F5 DevCentral Community Code of Conduct.

Contact

j.lin@f5.com

License

Apache License 2.0