Kubernetes egress control with squid proxy

https://news.ycombinator.com/rss Hits: 7
Summary

Kubernetes Egress Control with Squid proxy ΒΆ 2025-12-28 This Way to the Egress! β€” Sign at P.T. Barnum’s Americam Museum Kubernetes ingress gets a lot of attention – Gateway API, Ingress controllers, service meshes – compared with the Egress, mostly ignored until someone asks β€œwhat exactly is our cluster talking to?”, or, in even simple deployments, β€œCan we see what we are talking to?”. This is a (very) simple approach to that, using the venerable Squid proxy and a NetworkPolicy, without reaching for heavier machinery (but beginning to understand why we would). This is the overview of the thing I’m about to describe: Squid as egress proxy in k3s Why do I care ΒΆ Most Kubernetes tutorials focus on getting traffic into your cluster, which is fair since that’s where it usually starts... but traffic flows both ways, and once your workloads start making outbound calls to APIs, databases, and services beyond your cluster boundary, there’s a discussion on visibility and security to be had. I ran into this while working with OpenShift’s egress policies years ago, in so-called β€œregulated industries”: while not the most flexible at the time, they were the most straightforward answer to security requirements that defined that outbound traffic should go through a proxy. I’m using Kubernetes through k3s (mostly) and kind (often, for develpment) for my own personal stuff (see Projects), so I went back to basics on this: what if we just used Squid – a proxy that’s been solving this problem since 1996! – and enforced its usage with a NetworkPolicy? Nothing fancy, nothing β€œnext-gen cloud-native” just a proxy with logs, and see where that got me? Squid and k3s: the solution ΒΆ The architecture is deliberately simple: β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Cluster β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ workload namespace β”‚ β”‚ egress-proxy namespace β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β” β”‚ :3128β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ β”‚ β”‚ pod β”‚ HTTP_PROXY β”œβ”€β”€β”€β”€β”€β”€β”Όβ”€β–Άβ”‚ squi...

First seen: 2025-12-29 13:00

Last seen: 2025-12-29 19:01

Read Full Article More from this Source
Related News
Show HN: Dwm.tmux – a dwm-inspired window manager for tmux
2026-01-28 Β· 1 hits
FBI is investigating Minnesota Signal chats tracking ICE
2026-01-27 Β· 27 hits
Xfwl4 – The Roadmap for a Xfce Wayland Compositor
2026-01-27 Β· 31 hits
Aperture: Senior QA (2004-2005)
2026-01-28 Β· 3 hits
Rust's Standard Library on the GPU
2026-01-28 Β· 23 hits