Tigera: Locking Down the Back Door: Egress Security for Kubernetes with DNS Policies and Egress Gateways

Most Kubernetes security efforts focus on what comes in—ingress rules, admission controllers, network policies for east-west traffic. But the back door is often left wide open. By default, every pod in your cluster can reach any IP address on the internet, and in many environments, that default is never changed. This is exactly the gap attackers exploit: a compromised workload with unrestricted egress can exfiltrate data, establish command-and-control channels, or pivot to external systems without triggering a single alert.

In this demo, we start with a cluster running the typical “allow all outbound” posture and systematically lock it down. Using Calico’s Unified Platform, we implement DNS-based egress policies that restrict outbound traffic to explicitly approved domains, then route that traffic through egress gateways for centralized control and logging. You will see the journey from zero egress visibility to a fully auditable, least-privilege outbound posture—step by step, in a real Kubernetes environment.

• From Allow-All to Least-Privilege: Start with a default Kubernetes cluster and progressively tighten egress controls—see exactly what changes at each step and how workloads behave as policies are applied.
• DNS-Based Egress Policies: Implement domain-level allowlists that let workloads reach approved external services by name, without maintaining brittle IP-based rules that break every time a cloud provider rotates addresses.
• Egress Gateway Routing: Route all approved outbound traffic through dedicated egress gateways, giving you a single enforcement point for logging, inspection, and control of everything leaving the cluster.
• Detecting Unauthorized Egress Attempts: Use Calico’s flow logs and observability dashboard to identify workloads attempting to reach unapproved destinations—turning blocked connections into actionable security intelligence.

Join us to see how platform engineers can close the most overlooked gap in Kubernetes security—and take egress from wide open to fully controlled in a single session.