Closed j-zimnowoda closed 2 years ago
Also see discussion in #62
If the {} ingress rule also allows external traffic, shouldn't the expanded form also include a from ipBlock entry?
- ipBlock:
cidr: 0.0.0.0/0
@j-zimnowoda Good catch. I will merge this one.
@joebowbeer Not really no. Adding an IPBlock entry with 0.0.0.0/ will ALSO allow traffic from outside the cluster. For example from a Loadbalancer. You can read about Kubernetes behaviour for Source IP in this page [1]. The TL'DR is that if an app is exposed behind a Service of Type LB. The IP of the client (the caller) will either be NAT'ed behind a Node IP or preserved depending on the first node the request hits. a 0.0.0.0/0 will allow any traffic regardless of the client. It defeats the pupose of this example which only allow from one pod to an other in the same cluster
I hope this clarifies it.
thanks
I believe a dash is missing. Thanks for providing these great examples!