I noticed that ACLs are not supported, but there’s this new CRD for TrafficPermissions.
I have a use case I would like to do, but not sure how this can work now with TrafficPermissions, or what multi-port would look like with ACLs when it is supported:
- deny all traffic outside of service mesh into the namespace
dgraph, where the database list. - deny all traffic from within the service mesh (default)
- allow traffic from approved namespace(s) for database clients, e.g.
dgraph-client - allow traffic from load balancer, such as ingress controller, for approved remote office IPs. Ingress controller will be integrated into the mesh.
For the later item, I am looking for options to smoke out the feature, will try ingress controller that either lives inside the cluster (using external L4 LB), such as ingress-nginx, or external LB, such as ingress-gce on GKE or ALB on AWS. I want to test a few options with this.