I have an instance that is on an internal subnet 10.128.0.0/20 with IP 10.128.0.53.
I have a kubernetes service defined as:
mysql ExternalName <none> 10.128.0.53 3306/TCP 151d
However strangely, if I set a firewall rule to only allow 10.128.0.0/20 or 10.128.0.0/9 to the instance (at 10.128.0.53), it won't connect. It's as if the k8s service is gaining access to the subnet by some other means (NAT?)?
What firewall rule do I apply to allow access? I do not want to have 0.0.0.0/0 as the source - as it is currently.
When the firewall rule was 0.0.0.0/0, the tshark dump is:
chris@mysql8-book-1-vm:~$ sudo tshark -f "tcp port 3306" -i any
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'
1 0.000000000 10.4.12.160 → 10.128.0.53 TCP 76 51818 → 3306 [SYN] Seq=0 Win=28400 Len=0 MSS=1420 SACK_PERM=1 TSval=2402747230 TSecr=0 WS=128
2 0.000055238 10.128.0.53 → 10.4.12.160 TCP 76 3306 → 51818 [SYN, ACK] Seq=0 Ack=1 Win=28160 Len=0 MSS=1420 SACK_PERM=1 TSval=257905306 TSecr=2402747230 WS=128
3 0.001203683 10.4.12.160 → 10.128.0.53 TCP 68 51818 → 3306 [ACK] Seq=1 Ack=1 Win=28416 Len=0 TSval=2402747232 TSecr=257905306
4 0.001685970 10.128.0.53 → 10.4.12.160 MySQL 146 Server Greeting proto=10 version=8.0.16
5 0.002183066 10.4.12.160 → 10.128.0.53 TCP 68 51818 → 3306 [ACK] Seq=1 Ack=79 Win=28416 Len=0 TSval=2402747233 TSecr=257905307
6 10.006731817 10.128.0.53 → 10.4.12.160 TCP 68 3306 → 51818 [FIN, ACK] Seq=79 Ack=1 Win=28160 Len=0 TSval=257907808 TSecr=2402747233
7 10.050067244 10.4.12.160 → 10.128.0.53 TCP 68 51818 → 3306 [ACK] Seq=1 Ack=80 Win=28416 Len=0 TSval=2402757279 TSecr=257907808
```
