Troubleshooting Egress Traffic
When Egress is not working as expected
1. Confirm egress is enabled
If relying on passthrough egress functionality to unknown destinations, confirm that global passthrough egress is enabled by verifying the value for the enableEgress
key in the osm-mesh-config
MeshConfig
custom resource. osm-mesh-config
resides in the OSM control plane namespace (osm-system
by default).
# Returns true if global passthrough egress is enabled
kubectl get meshconfig osm-mesh-config -n osm-system -o jsonpath='{.spec.traffic.enableEgress}{"\n"}'
true
If using Egress policy, confirm that egress policy capability is enabled.
# Returns true if egress policy capability is enabled
kubectl get meshconfig osm-mesh-config -n osm-system -o jsonpath='{.spec.featureFlags.enableEgressPolicy}{"\n"}'
true
2. Inspect OSM controller logs for errors
# When osm-controller is deployed in the osm-system namespace
kubectl logs -n osm-system $(kubectl get pod -n osm-system -l app=osm-controller -o jsonpath='{.items[0].metadata.name}')
Errors will be logged with the level
key in the log message set to error
:
{"level":"error","component":"...","time":"...","file":"...","message":"..."}
3. Confirm the Envoy configuration when using Egress policy
Use the osm verify connectivity
command to validate that the pod can communicate with the external host and port using an Egress policy.
Examples:
To verify if the pod curl-7bb5845476-zwxbt
in the namespace curl
can direct HTTPS traffic to the the external httpbin.org
host on port 443
:
osm verify connectivity --from-pod curl/curl-7bb5845476-zwxbt --to-ext-port 443 --to-ext-host httpbin.org --app-protocol https
---------------------------------------------
[+] Context: Verify if pod "curl/curl-7bb5845476-zwxbt" can access external service on port 443
Status: Success
---------------------------------------------
To verify if the pod curl-7bb5845476-zwxbt
in the namespace curl
can direct HTTP traffic to the the external httpbin.org
host on port 80
:
osm verify connectivity --from-pod curl/curl-7bb5845476-zwxbt --to-ext-port 80 --to-ext-host httpbin.org --app-protocol http
---------------------------------------------
[+] Context: Verify if pod "curl/curl-7bb5845476-zwxbt" can access external service on port 80
Status: Success
---------------------------------------------
The Status
field in the output will indicate Success
when the verification succeeds.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.