{"id":20329756,"url":"https://github.com/f5devcentral/container-egress-service","last_synced_at":"2025-04-11T21:00:39.022Z","repository":{"id":38850624,"uuid":"427245879","full_name":"f5devcentral/container-egress-service","owner":"f5devcentral","description":"A controller(CES) for controlling container egress traffic. Working with F5 AFM.","archived":false,"fork":false,"pushed_at":"2024-12-16T02:36:51.000Z","size":43180,"stargazers_count":17,"open_issues_count":1,"forks_count":6,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-03T11:40:02.201Z","etag":null,"topics":["afm","ces","dynamic-firewall","egress-gateway","network-policy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f5devcentral.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-12T05:43:00.000Z","updated_at":"2024-09-21T13:23:47.000Z","dependencies_parsed_at":"2024-06-20T11:27:30.451Z","dependency_job_id":"e7b509e4-8a0b-42cf-870c-2b5cc43cdfb5","html_url":"https://github.com/f5devcentral/container-egress-service","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fcontainer-egress-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fcontainer-egress-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fcontainer-egress-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fcontainer-egress-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f5devcentral","download_url":"https://codeload.github.com/f5devcentral/container-egress-service/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248480435,"owners_count":21110936,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["afm","ces","dynamic-firewall","egress-gateway","network-policy"],"created_at":"2024-11-14T20:13:21.853Z","updated_at":"2025-04-11T21:00:38.413Z","avatar_url":"https://github.com/f5devcentral.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![CES](./ces-logo.png)\n\n[![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/f5devcentral/container-egress-service) [![Action Build Status](https://github.com/f5devcentral/container-egress-service/workflows/Build/badge.svg)](https://github.com/f5devcentral/container-egress-service/actions) [![Docker pull](https://img.shields.io/docker/pulls/f5devcentral/ces-controller)](https://hub.docker.com/r/f5devcentral/ces-controller) [![Issues](https://img.shields.io/github/issues/f5devcentral/container-egress-service)](https://github.com/f5devcentral/container-egress-service/issues) [![Stars](https://img.shields.io/github/stars/f5devcentral/container-egress-service)]() [![Go](https://goreportcard.com/badge/github.com/f5devcentral/container-egress-service)](https://goreportcard.com/report/github.com/f5devcentral/container-egress-service) [![License](https://img.shields.io/github/license/f5devcentral/container-egress-service)](./LICENSE) \n\nCES is a solution. It is used to help users manage the outgoing traffic of k8s pod/container better. It solves the challenge of outgoing traffic policy control in high dynamic IP scenarios in k8s native way, and provides a wealth of outgoing control capability. And through the hierarchical design, it solves the multi-role coordination problem among enterprise security, network, platform, and application operation departments.\n\n## Table of Contents\n- [Table of Contents](#table-of-contents)\n- [Background](#background)\n- [Install](#install)\n- [Usage](#usage)\n- [Building](#building)\n- [Challenges solved](#challenges-solved)\n- [Capabilities](#capabilities)\n- [Documents](#documents)\n- [Support](#support)\n- [Community Code of Conduct](#community-code-of-conduct)\n- [Contact](#contact)\n- [License](#license)\n\n\n\n## Background\n\nKubernetes is piloting projects transition to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. There are 2 challenges here. One is technology, how  enterprise security devices to work in high dynamic IP environment. This will  introduces additional complexity and risk to traditional process. The second one is the blurry work boundary between enterprise security team, network team, platform team and application team. Security is not the responsibility of one team, it is shared. Security team/network team, platform and application team all should get its role and benefit from this shared mode. \n\nCES is a solution help customers to resolve the above 2 challenges. It provides k8s native way to k8s egress traffic policy tuning. Working with F5 AFM.\n\nBy running CES controller in k8s, it will automatcially create policy rules into F5 AFM. No matter IP change or scaled.\n\nBy scoped policy designment, Security/network team, platform team, application team all can participate into the policy setting. Policy management can be delegated or centralized, follow container platform's RBAC. \n\n\u003cimg src=\"https://github.com/f5devcentral/container-egress-service/wiki/img/image-20211205152836043.png\" alt=\"scoped CRD\"/\u003e\n\n\n## Install\n\n1. Download the installation script\n\n```\nwget https://raw.githubusercontent.com/f5devcentral/container-egress-service/master/dist/install.sh\n```\n\n2. Edit the  `install.sh` script, edit the following variable values according to the actual environment. For detail, check the [wiki](https://github.com/f5devcentral/container-egress-service/wiki/2.CES%E5%AE%89%E8%A3%85)\n\n## Usage\n\n* Please check the [Wiki](https://github.com/f5devcentral/container-egress-service/wiki) for different usages.\n\n* Check Youtube or China Bilibili for video demos. Click [here](https://github.com/f5devcentral/container-egress-service/wiki/Demo).\n\n## Building\n\nDocker image:\n```\n#GO_VERSION = 1.16\ngit clone https://github.com/f5devcentral/container-egress-service.git\ncd container-egress-service\nmake release\n```\n\n\n## Challenges solved\n\n- High-frequency changes in outbound traffic caused by container IP dynamics\n- Different role groups have different requirements for the scope setting of the policy, and the policy needs to match the role in multiple dimensions\n- Dynamic bandwidth limit requirements for outbound traffic\n- Protocol in-depth security inspection requirements\n- Advanced requirements for flow programmable based on access control events\n- Visualization requirements for outbound traffic\n\n## Capabilities\n\n- Dynamic IP ACL control with Cluster/Pod/NS granularity\n- Cluster/Pod/NS granular FQDN ACL control\n- Time-based access control\n- Matched flow event trigger and programmable\n- Matched traffic redirection\n- Protocol security and compliance testing\n- IP intelligence\n- Traffic matching log\n- Traffic matching visualization report\n- Protocol detection visual report\n- TCP/IP Errors report\n- NAT control and logging\n- Data flow visualization tracking\n- Visual simulation of access rules\n- Transparent detection mode\n- High-speed log outgoing\n\n\n\n## Documents\n\nCheck [Release notes](https://github.com/f5devcentral/container-egress-service/releases/tag/v0.5.0).\n\nCheck the [Wiki](https://github.com/f5devcentral/container-egress-service/wiki) first.\n\n## Support\n\nFor support, please open a GitHub issue.  Note, the code in this repository is community supported and is not supported by F5.  For a complete list of supported projects please reference [SUPPORT.md](SUPPORT.md).\n\n## Community Code of Conduct\nPlease refer to the [F5 DevCentral Community Code of Conduct](code_of_conduct.md).\n\n## Contact\n\nj.lin@f5.com\n\n\n\n## License\n\n[Apache License 2.0](./LICENSE)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Fcontainer-egress-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff5devcentral%2Fcontainer-egress-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Fcontainer-egress-service/lists"}