Egress
Linkerd features capabilities to monitor and apply policies to egress traffic.
This allows cluster operators to make use of the EgressNetwork CRD to classify
and visualize traffic. This CRD can be used as a parent reference for Gateway
API route primitives in order to enable policy and routing configuration.
Linkerd’s egress control is implemented in the sidecar proxy itself; separate
egress gateways are not required (though they can be supported).
Warning
No service mesh can provide a strong security guarantee about egress traffic by
itself; for example, a malicious actor could bypass the Linkerd sidecar - and
thus Linkerd’s egress controls - entirely. Fully restricting egress traffic in
the presence of arbitrary applications thus typically requires a more
comprehensive approach.
Related content:
