Why I see now there is a need that internal POD and Service CIDR do not overlap with an existing network outside the cluster?

Wondering and trying to understand the requirement that the internal virtual cluster networks need not overlap with an existing network outside the k8s cluster? if they are virtual, internal and service endpoints in most cases are iptables endpoints (NATed) what is the issue, can one please elobrate where things might go wrong? unless for example the endpoint is down or coredns is down and service CIDR is routable outside the cluster? maybe?

I saw the old answer, but it does not say why?

Cluster information:

Kubernetes version: 1.20
Cloud being used: bare-metal on-prem using vsphere cloud provider
Installation method: openshift-install
CNI and version: OVN-Kubernetes
CRI and version: CRI-O

2 main considerations.

  1. Assuming pod-space overlaps with other IPs outside the cluster: If a Pod ever needs to address an IP in the overlapping range, it’s ambiguous. Does a given IP mean a pod in this cluster or a VM outside the cluster?

  2. Assuming pod-space overlaps with node IPs, it could become impossible for the cluster itself to do things like health checks. This case seems unlikely to really happen.

If you know that case 1 can not happen, that you will never send/receive traffic from overlapping space, then you can get away with overlapping, probably (really depends on the CNI impl). But before you do that, I think you should look at Bringing Traffic Into Your Kubernetes Cluster - Speaker Deck