I'm working on a Kubernetes project using Cilium, and I've implemented a policy that blocks egress by default to enhance security, especially regarding access to databases in different AWS regions. Access is only allowed for specific workloads that meet certain criteria, like having a specific label. However, I've encountered some resistance from developers regarding the inconveniences caused by this default denial, especially when a simple pod label can grant internet access. I'm curious if others have faced similar challenges and how they manage developer complaints about blocking internet egress by default.
1 Answer
If there's a compliance or governance reason for blocking egress, it's crucial to stand your ground, even if developers are not happy about it. Just make sure you have a clear and well-documented process for devs to request exceptions for egress. This helps manage their expectations and keeps everything organized.
Totally agree! Plus, many developers might not realize just how many compliance rules they might be subject to, like PCI-DSS if they handle credit card info.
Exactly! Documentation is key here. And anyone who pushes for an exception should be prepared to deal with any backlash that comes from those rules.