FRESH

Hacker News

Kubernetes egress control with squid proxy

82 points by fsmunoz

by merpkz

2 subcomments

by kodama-lens

0 subcomment

Thanks for the write up. It is indeed a simple and good solution for smaller workloads and as already pointed out it has some limitations. For devs the explicit configuration of that HTTP_PROXY is annoying, so the last time I did an egress proxy on OpenShift I wrote a small mutating webhook that injects that envs automatically in all pods. OpenShift does this already automatically but only for some system pods. Right now I explore Cilium's Egress-Gateway since this also handles none HTTP connections and is directly within the routing layer, but it has a learning curve

by crimsonnoodle58

1 subcomments

We use squid for egress control on Kubernetes and have also written a controller that runs in a sidecar container next to squid that monitors for custom CRD's, such as a whitelists.
The controller then updates squid.conf and reloads squid. This allows pods/namespaces to define their own whitelists.
The great thing about using squid and disabling DNS is you can stop DNS and HTTP exfil, but still allow certain websites to be accessible.

by baobun

1 subcomments

Not just squid but mostly any http proxy can be run in forward mode if you want.
Caddys "magic TLS" can be neat for this if you actually do want to dynamically intercept those https connections in an easy way. It's a use-case where Caddy really shines. You can go nuts trying to configure that cleanly in squid. The docs (perhaps intentionally) make you work for the hidden knowledge of these dark arts. You also get modernities like builtin http2, http3, etc.
Nobody else bothered by squids very lengthy restart time or have I just never configured it properly?
(Not to dunk on squid, it's otherwise mostly great. Especially for its caching features)

by btreecat

5 subcomments

I like this approach!
I am struggling to lock down a pod in my home cluster to allow local connections to it's web UI but force all other connections through a VPN client. I'm going to investigate if I could use squid for this.
My next approach is going to involve using a sidecar.
One heads up to the author, the text based charts didn't render well on FF mobile. Text is meant to reflow based on screen size, typeface etc. I feel this is a great case for using a drawing/image instead.

by jonstewart

0 subcomment

My team uses a squid proxy to control egress for AWS VPCs, all integrated into our CDK scripts. The CDK script states the allowlist (including AWS endpoints) for the VPC, and squid enforces it, including DNS. It works beautifully well. Locking down egress is one of the best defense in depth measures, as it makes it difficult for threat actors to download their tools and talk to their C2.

by thewisenerd

0 subcomment

by klohto

0 subcomment

I have had great experience scripting and running http://mitmproxy.org for these purposes. I also have set it in production as a dumb caching proxy for upstream services (We do a lot dumb GETs to list/enumerate)

by elnerd

1 subcomments

Would it be be trivial to have a init container to do CA injection? Maybe though mutating admission controller? Then some CNI magic to redirect outbound traffic to do transparent proxying?

0 subcomment

by oldsj

1 subcomments

I’ve been working on running agents (Claude agent sdk) on k8s this looks great to control their egress

by lkglglgllm

1 subcomments

by e-Minguez

3 subcomments

by m1keil

1 subcomments