-
Our goal is
- to allow only
API
toDB:3306
traffic - block all other traffic to DB
- web and API pod all traffics are fine
What we do
- to allow only
-
since k8 allow all pods communication
- we need to block all the in/out communication at DB pod
Note: if we define ingress policy, egress will be allowed automatically for that ingress traffic
- below policy allows ingress traffic from API pod to DB host port 3306 (and allows egress by default)
- all other traffic is blocked for DBhost
Use cases:
- podSelector
- nameSpaceSelector
- ipBlocks
- if we have multiple API pod in different namespace then
- Below allows from only the namespace : prod
- what if we dont have
podSelector
defined - only the
namespaceselector
defined?- it allows all pods to communicate into the DB:3306 from prod namespace
- what of we have a backup server outside of cluster,
- then we can define ipBlocks to allow from specific IP addresses
- If we have both specified, then both of the traffics are allowed
- Podselector AND namespaceselector —> both has to be met - then ingress allowed
- (Podselector AND namespaceselector ) OR ipBlock - here OR condition
- here we added “-” hyphen for namespaceselector
- this will be considered as separate rule
- if we have agent in DB , that pushes to Backup server (egress from DB to Backup)