Pre-DNAT policy

An example is securing access to Kubernetes NodePorts from outside the cluster. Traffic from outside is addressed to any node’s IP address, on a known NodePort, and Kubernetes (kube-proxy) then DNATs that to the IP address of one of the pods that provides the corresponding service, and the relevant port number on that pod (which is usually different from the NodePort).

In addition to being applied before any DNAT, the enforcement of pre-DNAT policy differs from that of normal host endpoint policy in three key details, reflecting that it is designed for the policing of incoming traffic from outside the cluster: