V1.17rc1 multiport traffic security

I noticed that ACLs are not supported, but there’s this new CRD for TrafficPermissions.

I have a use case I would like to do, but not sure how this can work now with TrafficPermissions, or what multi-port would look like with ACLs when it is supported:

  • deny all traffic outside of service mesh into the namespace dgraph, where the database list.
  • deny all traffic from within the service mesh (default)
  • allow traffic from approved namespace(s) for database clients, e.g. dgraph-client
  • allow traffic from load balancer, such as ingress controller, for approved remote office IPs. Ingress controller will be integrated into the mesh.

For the later item, I am looking for options to smoke out the feature, will try ingress controller that either lives inside the cluster (using external L4 LB), such as ingress-nginx, or external LB, such as ingress-gce on GKE or ALB on AWS. I want to test a few options with this.