In Kubernetes ecosystems, ingress controllers and service meshes command attention as gatekeepers for inbound traffic. Yet egress—outbound calls to APIs, databases, and external services—frequently lacks equivalent scrutiny. This visibility gap becomes critical in regulated industries or when answering fundamental security questions: “What exactly is our cluster talking to?”

One developer’s solution bypasses modern cloud-native complexity in favor of a 1990s relic: the Squid proxy. Paired with Kubernetes Network Policies, this setup enforces all egress traffic routing through Squid while logging every external connection. The architecture deliberately avoids heavyweight operators:

  1. Traffic Enforcement: Workloads set HTTP_PROXY/HTTPS_PROXY environment variables pointing to Squid.
  2. Network Lockdown: A NetworkPolicy blocks direct egress, permitting only DNS and proxy-bound traffic.
  3. Logging: Squid records all tunneled connections (destination host/port, timestamps, bytes transferred).
# Example NetworkPolicy snippet
spec:
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          purpose: egress-control
    ports:
    - protocol: TCP
      port: 3128 # Squid port

Testing used Horizons—a Common Lisp application fetching NASA JPL data—to validate the flow. Each HTTPS call appeared in Squid’s logs as TCP_TUNNEL:HIER_DIRECT, confirming passthrough without SSL interception. For ongoing analysis, GoAccess parsed logs into real-time dashboards showing external host patterns.

Why Simplicity Frays at the Edges

This approach delivers immediate value but exposes limitations:

  • Configuration Fragility: Proxy settings are manual per workload, risking misconfiguration.
  • No TLS Inspection: Without invasive MITM (like ssl-bump), URL paths remain hidden.
  • Coarse Access Control: ACLs apply cluster-wide, not per namespace—a problem for least-privilege environments.

These constraints reveal why enterprises eventually graduate to service meshes. Yet for developers needing quick visibility or compliance with minimal overhead, Squid offers a battle-tested starting point—proving sometimes vintage tools solve cloud-native problems best.

Source: https://interlaye.red/kubernetes_002degress_002dsquid.html