Add an option to pass list of ignored ports in egress traffic #58
Conversation
|
@stefanprodan @jqmichael not sure who to notify 🤷♂ |
| if v, ok := pod.ObjectMeta.Annotations[egressIgnoredPortsAnnotation]; ok { | ||
| egressIgnoredPorts = v | ||
| } else { | ||
| egressIgnoredPorts = "22" |
There was a problem hiding this comment.
I don’t think port 22 should be excluded by default. The egress ignored ports env var should be set only if the annotation exists.
There was a problem hiding this comment.
That's what the mesh does by default - https://docs.aws.amazon.com/app-mesh/latest/userguide/mesh-getting-started-ec2.html
I'm just following entrypoint script aws uses - # Comma separated list of ports for which egress traffic will be ignored, we always refuse to route SSH traffic. if [ -z "$APPMESH_EGRESS_IGNORED_PORTS" ]; then APPMESH_EGRESS_IGNORED_PORTS="22" else APPMESH_EGRESS_IGNORED_PORTS="$APPMESH_EGRESS_IGNORED_PORTS,22" fi
PS! I also think the default value could be still kept to show visibility of available ENV variables, for example it took me quite some time to find how to make App Mesh ignore some outgoing ports such as SQL/REDIS ones.
Issue #, if available:
aws/aws-app-mesh-roadmap#62
By default all egress traffic is going to flow through Envoy/AppMesh.
We don't want database traffic to be flowing through it.
Workaround currently is to not use
app-mesh-injectand manually add sidecar pod and init pod.Description of changes:
Implement
appmesh.k8s.aws/egressIgnoredPortsannotation to have an option of providing list of ports to be ignored in egress traffic flow.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.