Tanzu Platform Self-Managed 10.1

PDF
self.managed.10.1 10.0 saas

EgressPoint API reference

Last Updated March 03, 2025

This topic gives you reference information for the EgressPoint resource for Kubernetes Spaces.

EgressPoint resource

You can create the EgressPoint resource manually or through the UI. The resource is defined as follows:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
  name: EGRESSPOINT-NAME
spec:
  sourceRef: #! Optional
    apiGroup: SOURCEREF-API-GROUP
    kind: SOURCEREF-KIND
    name: SOURCEREF-NAME
  targets:
  - hosts:
    - HOST
    port:
      number: TARGET-PORT
      protocol: TARGET-PROTOCOL

Where:

VariableDescriptionExample
EGRESSPOINT-NAMEThe name you want for your EgressPoint resource. It might be useful to name it something relevant to the off-cluster target you’re allowing access to.example-egress
SOURCEREF-API-GROUPThe API group of the resource you want to targetSupported values: apps.tanzu.vmware.com and apps
SOURCEREF-KINDThe kind of resource in the API group you want to targetSupported values: ContainerApp and Deployment
SOURCEREF-NAMEThe name of the KIND.API-GROUP resource you want to targetmy-app
HOSTThe hostname or IP address of the off-cluster target you want to accesswww.example.com or 11.22.33.44
TARGET-PORTThe port that the target is listening on80
TARGET-PROTOCOLThe protocol to access the targetSupported values: HTTP, HTTPS, TCP, TLS

Notes:

  • The spec.sourceRef field is optional. If you provide that field, the egress rules defined in the EgressPoint resource only apply to the workload you specify. The workload continues to have access to anything defined in any EgressPoints that apply to the entire Space. The only supported values for kind.apiGroup are ContainerApp.apps.tanzu.vmware.com and Deployment.apps.

  • When using the protocol TCP, requests on higher-level protocols like HTTP, HTTPS, and TLS are also permitted because the TCP protocol is used underneath them.

Supported configurations for EgressPoint

The EgressPoint API allows for flexible configuration of egress rules. However, there are certain combinations that that are not supported. For example:

  • The same host and port cannot be exposed on multiple different protocols.
  • IP address hosts can only be exposed on TCP protocol.

The following table shows the valid combinations of host, port, and protocol:

HostPortProtocol
Single hostSingle port
  • Single protocol: TCP, TLS, HTTP, or HTTPS
  • Multiple protocols: Not allowed
Single hostMultiple ports
  • Same protocol on each port: TCP, TLS, HTTP, or HTTPS
  • Different protocols on each port: TCP, TLS, HTTP, or HTTPS
Single IPSingle portSingle protocol: TCP only

When combining entries for multiple hosts, if each individual host+port+protocol set is valid, the aggregate of those hosts is also valid.

About configuring EgressPoint for server first protocols

The EgressPoint supports protocols TCP and TLS for connections that use non-HTTP style protocols. For example, you can allow access to a database using TCP, or, if the database supports it, TLS.

However, some of these protocols might be server first, which means that the server sends the first bytes. In these cases, you must use the TCP protocol even if the endpoint supports TLS. For example, even though mysql supports TLS, a connection to mysql performs an unencrypted exchange before negotiating TLS, which gets blocked when TLS protocol is set in the EgressPoint.