Controlling Egress Traffic in Linkerd with Gateway API (HTTPRoute & TLSRoute)

[rkhizhenok]

Hi Linkerd community,

Problem Statement

I need to restrict egress traffic for applications within a Kubernetes namespace using Linkerd’s egress policies while leveraging the Gateway API with HTTPRoute and TLSRoute. The goal is to enforce strict controls over which external services applications can access, ensuring they only communicate with specific endpoints.

The main challenge is that TLSRoute operates at L4 (transport layer), allowing only hostname-based rules but lacking path-based routing. This limitation makes it impossible to allow access to specific resources (e.g., certain GCP storage buckets) rather than permitting access to an entire host like storage.googleapis.com.

Here is the official documentation for the Gateway API:

TLSRoute Specification
TLSRouteRule Specification

These documents state that hostname is the only available routing mechanism. The rules section does not support defining matches, which is where path-based routing would typically be configured, and this section exists for HTTPRoute:

HTTPRouteRule Specification

In the example below, I use httpbin.org as a test API to demonstrate the issue.
This example is based on materials provided officially by Linkerd.
The official documentation here.

---

Steps Taken

1. Deny all egress traffic by default for injected pods

apiVersion: policy.linkerd.io/v1alpha1
kind: EgressNetwork
metadata:
  name: all-egress-traffic
  namespace: egress-test
spec:
  trafficPolicy: Deny

2. Create an HTTPRoute that allows only path-based access

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: http-egress
  namespace: egress-test
spec:
  hostnames:
    - httpbin.org
  parentRefs:
    - name: all-egress-traffic
      kind: EgressNetwork
      group: policy.linkerd.io
      namespace: egress-test
      port: 80
  rules:
    - matches:
        - path:
            value: "/ip"
      backendRefs:
        - kind: EgressNetwork
          group: policy.linkerd.io
          name: all-egress-traffic

✅ Allowed:

curl -I http://httpbin.org/ip
HTTP/1.1 200 OK
date: Fri, 21 Feb 2025 11:47:56 GMT
content-type: application/json
content-length: 32
server: gunicorn/19.9.0
access-control-allow-origin: *

❌ Denied:

curl -I http://httpbin.org/
HTTP/1.1 403 Forbidden
content-length: 0
l5d-proxy-error: traffic not allowed
date: Fri, 21 Feb 2025 11:48:00 GMT

3. Create a TLSRoute to allow HTTPS traffic

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: tls-egress
  namespace: egress-test
spec:
  hostnames:
    - httpbin.org
  parentRefs:
    - name: all-egress-traffic
      kind: EgressNetwork
      group: policy.linkerd.io
      namespace: egress-test
      port: 443
  rules:
    - backendRefs:
        - kind: EgressNetwork
          group: policy.linkerd.io
          name: all-egress-traffic

✅ Allowed:

curl -I https://httpbin.org/
HTTP/2 200
date: Fri, 21 Feb 2025 11:48:04 GMT
content-type: text/html; charset=utf-8
content-length: 9593
server: gunicorn/19.9.0
access-control-allow-origin: *

✅ Allowed:

curl -I https://httpbin.org/ip
HTTP/2 200
date: Fri, 21 Feb 2025 11:48:08 GMT
content-type: application/json
content-length: 32
server: gunicorn/19.9.0
access-control-allow-origin: *

---

Issue

The problem is that TLSRoute works at the transport layer (L4) and does not support path-based routing. This means I cannot allow access exclusively to https://httpbin.org/ip— instead, I must permit all traffic to https://httpbin.org/.

From what I’ve gathered in the Gateway API documentation, HTTPRoute supports HTTPS connections, but I couldn’t find anything explaining whether it can handle this scenario.

Is there a way to enforce path-based routing while still allowing HTTPS traffic? Any guidance or alternative approaches would be greatly appreciated!