github.com/cilium/cilium@v1.16.2/Documentation/security/policy/caveats.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _policy_caveats: 8 9 ******* 10 Caveats 11 ******* 12 13 Security Identity for N/S Service Traffic 14 ========================================= 15 16 When accessing a Kubernetes service from outside the cluster, the 17 :ref:`arch_id_security` assignment depends on the routing mode. 18 19 In the tunneling mode (i.e., ``--tunnel-protocol=vxlan`` or ``--tunnel-protocol=geneve``), the request 20 to the service will have the ``reserved:world`` security identity. 21 22 In the native-routing mode (i.e., ``--routing-mode=native``), the security identity 23 will be set to the ``reserved:world`` if the request was sent to the node which runs the 24 selected endpoint by the LB. If not, i.e., the request needs to be forwarded to 25 another node after the service endpoint selection, then it will have the ``reserved:remote-node``. 26 27 The latter traffic will match ``fromEntities: cluster`` policies. 28 29 Differences From Kubernetes Network Policies 30 ============================================ 31 32 When creating Cilium Network Policies it is important to keep in mind that Cilium Network 33 Policies do not perfectly replicate the functionality of `Kubernetes Network Policies <https://kubernetes.io/docs/concepts/services-networking/network-policies/>`_. 34 See :ref:`this table <networkpolicy_state>` for differences.