I'm trying to clarify something about NetworkPolicy and CiliumNetworkPolicy. When I set the egress rule to allow traffic to `0.0.0.0/0`, does that mean I'm allowing connections to all endpoints, both internal and external in the cluster, or does it only apply to external endpoints? Also, if I switch to using CiliumNetworkPolicy, does that change anything? Thanks for any help!
3 Answers
Just a heads up, `0.0.0.0/0` refers to all IPv4 traffic. Don’t forget to consider IPv6 as well if that’s a factor for your deployment.
In Cilium specifically, remember that you can't target in-cluster entities like nodes and pods using a CIDR selector. Instead, use the `all` entity to include them.
Yes, allowing `0.0.0.0/0` means traffic is allowed to all IPv4 endpoints, both inside and outside the cluster. However, keep in mind that some cluster resources might have additional Network Policies that could deny access.
In Cilium, it doesn't work quite like that. Their `ipBlock` only matches external traffic; it can't be used for pods within the cluster. Check out [this issue](https://github.com/cilium/cilium/issues/9209) for more details.
How can I set it up to allow external traffic but block internal communication?