The TCP mode can be used for generic TCP-based applications. Here is an example:
1kind: Service2metadata:3name: nats4spec:5port: 80806mode: TCP7config:8upstream:9url: tcp://nats-server:8080
Octelium supports a various of TCP-based application-layer protocols such as HTTP, SSH, PostgreSQL and MySQL. Using such modes instead of TCP provides you with features such as L-7 aware access control, secret-less access to upstreams, L-7 aware dynamic configuration and L-7 aware visibility. Read more here.
Access Control
Compared to application-layer aware modes such as HTTP and KUBERNETES where access control happens on every application-layer request where application-layer info are fed to the request context, access control in TCP mode obviously happens only at the beginning of the TCP connection and there is no specific L7 information can be extracted. Here is an example:
1kind: Service2metadata:3name: example-svc4spec:5port: 80806mode: TCP7config:8upstream:9url: tcp://nats-server:808010authorization:11inlinePolicies:12- spec:13rules:14- effect: ALLOW15condition:16match: '"group-1" in ctx.user.spec.groups'
Dynamic Configuration
You can use dynamic configuration in order to, for example, route to different upstreams or use different mTLS certificates (read more about secret-less access via mTLS here) depending on the request's context (read more about dynamic configuration here). Here is an example:
1kind: Service2metadata:3name: ssh14spec:5mode: TCP6config:7upstream:8url: tcp://host-0:90009dynamicConfig:10configs:11- name: host-112upstream:13url: tcp://host-1:900114- name: host-215upstream:16url: tcp://host-2:900217rules:18- condition:19match: '"ops" in ctx.user.spec.groups'20configName: host-121- condition:22match: '"dev" in ctx.user.spec.groups'23configName: host-2
Visibility
The Service emits access logs in real time to the audit collector. Here is an example of a TCP Log:
1{2"apiVersion": "core/v1",3"entry": {4"common": {5"connectionID": "vldv-kx0n-jz20ix83wijy7p605o61puha-zpq6-2z7k",6"endedAt": "2025-03-21T22:28:53.184219118Z",7"isAuthenticated": true,8"isAuthorized": true,9"namespaceRef": {10"apiVersion": "core/v1",11"kind": "Namespace",12"name": "default",13"resourceVersion": "0195b81d-43ec-7ba7-81f7-9b77202b3612",14"uid": "bff0768e-eec8-4044-a972-9f7af81b79d8"15},16"regionRef": {17"apiVersion": "core/v1",18"kind": "Region",19"name": "default",20"uid": "6e233d12-2fd6-4670-a82d-8c712e1f7374"21},22"serviceRef": {23"apiVersion": "core/v1",24"kind": "Service",25"name": "pg2.default",26"resourceVersion": "0195bad1-6f83-7740-8db5-ca41ad514d3f",27"uid": "92e79dbb-5f69-419d-b41d-ca26cb892a4a"28},29"sessionRef": {30"apiVersion": "core/v1",31"kind": "Session",32"name": "usr1-3pt93j",33"resourceVersion": "0195bad0-8169-7c53-a2a4-eef7b5b23880",34"uid": "e8bea7be-b858-4457-a8ee-a0cb7f6c91da"35},36"startedAt": "2025-03-21T22:28:07.494538911Z",37"userRef": {38"apiVersion": "core/v1",39"kind": "User",40"name": "usr1",41"resourceVersion": "0195b821-228d-79b2-92f3-4bb458944f97",42"uid": "e0f251b2-6952-4a46-a771-2712a45c47f5"43}44},45"info": {46"tcp": {47"receivedBytes": "30253",48"sentBytes": "2876",49"type": "END"50}51}52},53"kind": "AccessLog",54"metadata": {55"actorRef": {56"apiVersion": "core/v1",57"kind": "Session",58"name": "usr1-3pt93j",59"resourceVersion": "0195bad0-8169-7c53-a2a4-eef7b5b23880",60"uid": "e8bea7be-b858-4457-a8ee-a0cb7f6c91da"61},62"createdAt": "2025-03-21T22:28:53.184211348Z",63"id": "q41j-e6m6-7wvk7mr90dy36kbbaxtpfmeh-ail9-8z34",64"targetRef": {65"apiVersion": "core/v1",66"kind": "Service",67"name": "pg2.default",68"resourceVersion": "0195bad1-6f83-7740-8db5-ca41ad514d3f",69"uid": "92e79dbb-5f69-419d-b41d-ca26cb892a4a"70}71}72}