EgressPoint API reference

This topic gives you reference information for the EgressPoint resource on Tanzu Platform for Kubernetes.

EgressPoint resource

You can create the EgressPoint resource manually or through the UI. The resource is defined as follows:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
  name: EGRESSPOINT-NAME
spec:
  sourceRef: #! Optional
    apiGroup: SOURCEREF-API-GROUP
    kind: SOURCEREF-KIND
    name: SOURCEREF-NAME
  targets:
  - hosts:
    - HOST
    port:
      number: TARGET-PORT
      protocol: TARGET-PROTOCOL

Where:

Variable Description Example
EGRESSPOINT-NAME The name you want for your EgressPoint resource. It might be useful to name it something relevant to the off-cluster target you’re allowing access to. example-egress
SOURCEREF-API-GROUP The API group of the resource you want to target Supported values: apps.tanzu.vmware.com and apps
SOURCEREF-KIND The kind of resource in the API group you want to target Supported values: ContainerApp and Deployment
SOURCEREF-NAME The name of the KIND.API-GROUP resource you want to target my-app
HOST The hostname or IP address of the off-cluster target you want to access www.example.com or 11.22.33.44
TARGET-PORT The port that the target is listening on 80
TARGET-PROTOCOL The protocol to access the target Supported values: HTTP, HTTPS, TCP, TLS

Notes:

  • The spec.sourceRef field is optional. If you provide that field, the egress rules defined in the EgressPoint resource only apply to the workload you specify. The workload continues to have access to anything defined in an EgressPoint that applies to the entire Space. The only supported values for kind.apiGroup are ContainerApp.apps.tanzu.vmware.com and Deployment.apps.

  • When using the protocol TCP, requests on higher-level protocols like HTTP, HTTPS, and TLS are also permitted because the TCP protocol is used underneath them.

Supported configurations for EgressPoint

The EgressPoint API allows for flexible configuration of egress rules. However, there are certain combinations that that are not supported. For example:

  • The same host and port cannot be exposed on multiple different protocols.
  • IP address hosts can only be exposed on TCP protocol.

The following table shows the valid combinations of host, port, and protocol:

Host Port Protocol
Single host Single port
  • Single protocol: TCP, TLS, HTTP, or HTTPS
  • Multiple protocols: Not allowed
Single host Multiple ports
  • Same protocol on each port: TCP, TLS, HTTP, or HTTPS
  • Different protocols on each port: TCP, TLS, HTTP, or HTTPS
Single IP Single port Single protocol: TCP only

When combining entries for multiple hosts, if each individual host+port+protocol set is valid, the aggregate of those hosts is also valid.

About configuring EgressPoint for server first protocols

The EgressPoint supports protocols TCP and TLS for connections that use non-HTTP style protocols. For example, you can allow access to a database using TCP, or, if the database supports it, TLS.

However, some of these protocols might be server first, which means that the server sends the first bytes. In these cases, you must use the TCP protocol even if the endpoint supports TLS. For example, even though mysql supports TLS, a connection to mysql performs an unencrypted exchange before negotiating TLS, which gets blocked when TLS protocol is set in the EgressPoint.

check-circle-line exclamation-circle-line close-line
Scroll to top icon