Hello,

I am creating a test cni config for my pod tests on my host.

In docker, we can create an internal only network by specifying --internal while creating the bridge network.
https://docs.docker.com/engine/reference/commandline/network_create/#network-internal-mode

I am just wondering, if I want to achieve a similar network (blocking external network access for my pod), does it mean that I just need to omit the portmap plugin set up? Want to confirm if I am using things the right way.

Thanks!

Omitting portmap sounds right.

It probably depends on what the main plugin is. If bridge you probably want to turn off things like:

"isDefaultGateway": false,
"ipMasq": false,
"hairpinMode": false,  // maybe?

if you want to block external network access initiated from inside as well