Authorization Policies: Allow specific non-meshed pod access to meshed pod

Hi! I m setting authorization policies in my application stack, but not all pod are meshed.
So I need to restrict access to meshed pod to only receive traffic from a non-meshed pod.
I read the documentation and seems the only way is using NetworkAuthentication by specifying a CIDR block or the pod’s IP in CIDR notation, but the first approach will allow all the pods that share that CIDR block, and the second approach will work until the pod gets restartted or terminated, because it will change the IP.
Is there another way to accomplish this?

1 Like

Hi @lea_m18

Ultimately, the Linkerd proxy needs some way of determining if a connection should be allowed. If it cannot use mTLS identity (because the source pod is not meshed) and cannot use source IP (for the reasons you stated), then it doesn’t really have any way to authentically know who the connection is coming from and if it should be allowed.

Hi @Alex , thanks for the answer.
So there is no future improvement for this? Like for example, use podSelector, similar to Network policies, or something like that?
Thank you.

That’s right, we don’t have anything like that planned at the moment.