In general, traffic within a Space is unrestricted, but traffic outside of the Space is controlled through egress and ingress policy. Egress control is enabled at the ClusterGroup
level by installing the egress.tanzu.vmware.com
Capability package on the ClusterGroup
.
After you install the egress.tanzu.vmware.com
Capability, all Spaces on those clusters deny all egress traffic by default. To allow specific traffic to leave the Space, the Space must require the egress.tanzu.vmware.com
Capability, and you must define an EgressPoint
resource. The EgressPoint
resource describes the network connections that are allowed to originate from within the Space and go to a destination outside of the Space. This is useful when an application must contact an external API, database, or other network service that is not within the Space. For instructions for creating an EgressPoint
resource, see Manage Egress Rules.
If you want to allow all traffic to leave a Space, you can remove the egress.tanzu.vmware.com
Capability and add the Space on this modified ClusterGroup
.