You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/aci/examples/advanced.md
+11-1
Original file line number
Diff line number
Diff line change
@@ -17,6 +17,8 @@ The following subnets will be used:
17
17
* Egress Node subnet: `192.168.2.80/28`
18
18
* Load-balancer services pool: `192.168.2.48/28`
19
19
20
+
{: .note }
21
+
In this example the ESG configuration is optional and can be completely removed if you choose to advertise the Egress IP over BGP as explained in the [Cilium Egress design](../../advanced_design/#cilium-egress-design) section.
20
22
21
23
22
24
## ACI configuration
@@ -228,6 +230,10 @@ spec:
228
230
selector:
229
231
matchLabels:
230
232
advertise: bgp
233
+
- advertisementType: EgressGateway
234
+
selector:
235
+
matchLabels:
236
+
advertise: bgp
231
237
---
232
238
apiVersion: isovalent.com/v1alpha1
233
239
kind: IsovalentBFDProfile
@@ -393,6 +399,8 @@ The egress configuration is extremely simple: once the nodes are configured with
393
399
* Select wich nodes are part of the `egressGroups` with a `nodeSelector`
394
400
* Specify which `egressIP` a node has to use. Note: The `egressIP` needs to be pre-configured on the node. Commonly as a secondary IP on the interface. This should be done prior to deploying the policy.
395
401
* Select which pods the `IsovalentEgressGatewayPolicy` should apply to by using a `podSelector`
402
+
* If using BGP advertisement add the `advertise: bgp` label
403
+
396
404
397
405
For example the configuration below will NAT all traffic (`destinationCIDRs`) initiated from pods in the `egress-1` namespace (`io.kubernetes.pod.namespace`) using two nodes (`kubernetes.io/hostname`) and two IPs (`egressIP: 192.168.2.83 and 192.168.2.84`)
398
406
@@ -401,6 +409,8 @@ apiVersion: isovalent.com/v1
401
409
kind: IsovalentEgressGatewayPolicy
402
410
metadata:
403
411
name: egress-1
412
+
labels:
413
+
advertise: bgp
404
414
spec:
405
415
destinationCIDRs:
406
416
- 0.0.0.0/0
@@ -420,7 +430,7 @@ spec:
420
430
421
431
```
422
432
423
-
These two `egressIPs` can now easily be mapped by using an IP selector on the ESG. This allows for administrators to control access per application by using contracts. This example shows access control per namespace, but this can also be narrowed down further to a subset of pods.
433
+
These two `egressIPs` can now easily be mapped in an External EPG or ESG. This allows for administrators to control access per application by using contracts. This example shows access control per namespace, but this can also be narrowed down further to a subset of pods.
0 commit comments