DevOps · Flashcard

What does a DNS-aware (FQDN) policy in Cilium allow?

  • AEgress to destinations by domain name — e.g. allow traffic to api.example.com rather than a raw IP
  • BIngress filtered by client hostname — matching the reverse-DNS name of whoever is connecting in
  • CBlocking the cluster's internal DNS — preventing pods from resolving any Service names at all
  • DRewriting DNS responses — changing the IP that a resolved name points to before the pod sees it

Why this is the answer

FQDN policy lets you allow egress by domain name (toFQDNs), with Cilium watching DNS to map names to the IPs it then permits — useful for external APIs with changing addresses. It is not reverse-DNS ingress matching, not a way to block cluster DNS, and not DNS response rewriting.

Official docs
Study in Gnoseed →