I am learning Kubernetes and trying to understand basic architecture and security.

Here is one of the possible architecture I am trying to build

I am also planning to have SSO type of implementation within cluster which will be able to provide Auths to ingress rules.

So below are some types of connection

• Internet connection - This can have all the three security mechanism based on ingress controller configuration and ingress rules definition
• Ingress to POD connection - Authentication and authorization can be ignored (correct me if I am wrong) as these are internal connection and can not be made from outside if only ingress is exposed. Is it possible to have TLS as POD can be on different nodes in cluster and may go to public internet.
• POD to POD connection - This is similar to above as PODs may be on different nodes, so TLS must be required. Auths can be ignored, I guess.

• POD to storage connection - Using PVC or Volume claim template (for stateful set) to get PV can be provisioned backed by storage class. But how is the connection between POD and storage is made? Does it cross internet? Auths are not required, but if it crosses public internet so what about TLS?

  I see some one suggesting ingress controller for each POD. Will it not be too much if only SSL is required?