Manifests
Allowlists for Outbound Connections
In OBLV Deploy, managing outbound connections for your containers and plugins is crucial for controlling network access and security. You can explicitly define rules for outbound connections in the NitroEnclaveDeployment, ensuring that only approved connections are allowed.
Defining Outbound Connections
The outbound connections schema allows you to specify rules for outbound connections in your containers and plugins. Each outbound connection is represented as an object with the following properties:
| Field | Description | Usage |
|---|---|---|
| fqdn | Stands for Fully Qualified Domain Name, representing the destination of the outbound connection. | Can be specified directly as a string or referenced from a Kubernetes ConfigMap. |
| redirects | Specifies whether redirects are allowed for this outbound connection. | Boolean value (true or false). |
| port | Specifies the port number for the outbound connection. | Integer specifying the port. |
| tls | Specifies whether TLS (Transport Layer Security) should be used for this outbound connection. | Boolean value indicating the use of TLS. |
Usage
Within your custom Kubernetes workload resource, include the outboundConnections attribute and specify the outbound connection rules. You can define multiple outbound connections by adding objects to the array.
Example:
containers:
- name: web
image: nginx:1.25.3
outboundConnections:
- fqdn:
value: example.com
redirects: true
port: 443
tls: true
- fqdn:
configMap:
name: fluentbitConfigMap
key: fluent-bit.yaml
type: yaml
ref: "pipeline#outputs#0#host"
redirects: true
port: 443
tls: true
In this example:
- The first outbound connection specifies the FQDN example.com directly with TLS enabled on port 443 and allows redirects.
- The second outbound connection retrieves the FQDN from a ConfigMap named
fluentbitConfigMapand the specified key within it. It also allows redirects with TLS enabled on port 443.
YAML, JSON and INI files are supported to be referenced from a configmap for an outbound connection rule.
Understanding the ConfigMap Reference Format for Outbound Connections
These references used for ConfigMaps follow a structured format that helps locate the desired value within the ConfigMap. Let's break down the format "pipeline#outputs#1#host" step by step:
| Step | Description | Example |
|---|---|---|
| Top-Level Key | Begin with the name of the top-level key within the ConfigMap. | pipeline |
| Nested Keys | Specify each nested key separated by a "#" symbol. | pipeline#outputs |
| Array Index | Indicate the index of the array item. Indexes start from 0. | pipeline#outputs#1 (second item) |
| Value Key | Specify the key of the actual value you want to retrieve within the indexed array item. | pipeline#outputs#1#host |