About egress

This topic tells you about egress as a concept and how it applies to Spaces in Tanzu Platform for Kubernetes.

In general, traffic within a Space is unrestricted, but traffic outside of the Space is controlled through egress and ingress policy. Egress control is enabled at the ClusterGroup level by installing the egress.tanzu.vmware.com Capability package on the ClusterGroup.

After you install the egress.tanzu.vmware.com Capability, all Spaces on those clusters deny all egress traffic by default. To allow specific traffic to leave the Space, the Space must require the egress.tanzu.vmware.com Capability, and you must define an EgressPoint resource.

The EgressPoint resource describes the network connections that are allowed to originate from within the Space and go to a destination outside of the Space. This is useful when an application must contact an external API, database, or other network service that is not within the Space. For instructions for creating an EgressPoint resource, see Manage Egress Rules.

To allow all traffic to leave a Space, create an egress Trait, specifying open-egress by setting * as the host. For information about how to create a Trait, see Configure Traits. Add this Trait to the Profile in the Space.

check-circle-line exclamation-circle-line close-line
Scroll to top icon