search

ahmetb / kubernetes-network-policy-recipes

Example recipes for Kubernetes Network Policies that you can just copy paste
Apache License 2.0
5.69k stars 1.73k forks source link

add missing dash #83

Closed j-zimnowoda closed 2 years ago

j-zimnowoda commented 2 years ago

I believe a dash is missing. Thanks for providing these great examples!

joebowbeer commented 2 years ago

Also see discussion in #62

If the {} ingress rule also allows external traffic, shouldn't the expanded form also include a from ipBlock entry?

    - ipBlock:
        cidr: 0.0.0.0/0
boredabdel commented 2 years ago

@j-zimnowoda Good catch. I will merge this one.

@joebowbeer Not really no. Adding an IPBlock entry with 0.0.0.0/ will ALSO allow traffic from outside the cluster. For example from a Loadbalancer. You can read about Kubernetes behaviour for Source IP in this page [1]. The TL'DR is that if an app is exposed behind a Service of Type LB. The IP of the client (the caller) will either be NAT'ed behind a Node IP or preserved depending on the first node the request hits. a 0.0.0.0/0 will allow any traffic regardless of the client. It defeats the pupose of this example which only allow from one pod to an other in the same cluster

I hope this clarifies it.

[1]https://kubernetes.io/docs/tutorials/services/source-ip/

j-zimnowoda commented 2 years ago

thanks