Document how to block pod-to-pod direct communication except traffic to and from lattice fleet

[liwenwu-amazon]

We need to add document on how to prevent following if customer desires to block them

"
I can bypass any Service level IAM auth policies within a cluster by calling the service "direct" using the kube dns host (app.namespace) rather than the app’s lattice host, as the request does not go via lattice so is not subject to its rules. Are there any thoughts here? As mentioned in the other queries it would be great if kube users just use kube dns styles hosts everywhere and the platform transparently routes them through lattice
"

[ph-l]

Hi, I noticed this part from the GAMMA docs

A typical east/west API request flow when a GAMMA-compliant mesh is in use looks like:

A client workload makes a request to http://foo.ns.service.cluster.local/.
The mesh data plane intercepts the request and identifies it as traffic for the Service foo in Namespace ns.
The data plane locates Routes associated with the foo Service, then:

a. If there are no associated Routes, the request is always allowed, and the foo workload itself is considered the destination workload.

b. If there are associated Routes and the request matches at least one of them, the backendRefs of the highest-priority matching Route are used to select the destination workload.

c. If there are associated Routes, but the request matches none of them, the request is rejected.

The data plane routes the request on to the destination workload (most likely using endpoint routing, but it is allowed to use Service routing).

Are there plans to route Kube DNS hostnames through Lattice?