monzo / egress-operator

A Kubernetes operator to produce egress gateway Envoy pods and control access to them with network policies
MIT License
249 stars 24 forks source link

CoreDNS plugin question #45

Open mqmr opened 4 months ago

mqmr commented 4 months ago

[NOT A CONTRIBUTION]

Hello,

First of all big thanks for the great project!

I've been playing with it for some time and I wonder if there's a way to allow other, unrestricted, workloads to communicate with allow-listed endpoints directly, i.e. not via proxies. I guess, that should be done at the DNS level, but with lack of CoreDNS knowledge, I cannot see how a DNS view could be created, so DNS rewrites happen to certain workloads only.

I'd appreciate for any advice.

Thank you!

mqmr commented 4 months ago

After googling for a bit, I'd assume, it'd be possible to achieve that with "policy/firewall" plugin - https://github.com/coredns/policy?tab=readme-ov-file#kubernetes-metadata-multi-tenancy-policy