#Tag
Posts tagged “networking”

Observe first, deny second
Everyone writes network policy from the architecture diagram, and the diagram is always wrong. The only allowlist that survives contact with production is one written from the flows you actually watched — applied out-of-band, proven enforcing, and only then handed to GitOps.

SNAT ate my source IP
A LoadBalancer service with the default traffic policy rewrites every incoming packet's source to the node's own address — so by the time a network policy sees it, the real client is gone. You cannot allowlist a sender the network has already erased.

The most secure inbound port is the one you never open
Exposing self-hosted services to the internet with zero open ports, zero port-forwarding, and the origin's IP never leaving the building.

