By default block all ingress and egress traffic in k8s pods, allowlist the connections needed
This came up in a conversation on Slack: https://gitlab.slack.com/archives/C0169U3BW3E/p1594108751070300
It can be implemented using k8s NetworkPolicy or any other mechanism considered appropriate.
The idea is to whitelist only the traffic we trust, for example: https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/blob/master/releases/gitlab/values/values.yaml.gotmpl#L595-655
Edited by Michal Wasilewski