- Gobind
- (others please feel free to add)
As a Kubernetes user, I want to allow/deny egress to specific FQDNs using Network Policy. For instance, I would like to use Network Policy to express the following constraint:
{ egress:
- to:
- FQDN: url: www.my-trusted-company.com }
This policy would only permit the pods selected by this policy to send packets to IPs that belong to www.my-trusted-company.com. It implicitly will deny any packets to other websites from the selected pods.
You can image this would be handy even for services implemented inside the cluster as well as other services outside the cluster but not necessarily on the internet.
Many existing products already offer this functionality today:
- Cilium FQDN based network policy
- Calico FQDN based network policy
- OpenShift egress firewall with FQDN
(related: see kubernetes/kubernetes#50453)
https://docs.google.com/document/d/1Htcy4UXKZytUe-lWJIIEJZzoa3MtCMr-Ms_KONaXirM/edit#