About the iptables settings that kube-proxy sets at startup

masato_yoshi · January 22, 2022, 12:55am

The following settings are set in iptables when kube-proxy starts.

Chain KUBE-FORWARD (1 references)

pkts bytes target prot opt in out source destination*
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID*
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules / mark match 0x4000/0x4000
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule / ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule / ctstate RELATED,ESTABLISHED

Due to the DROP setting of ctstae invalid, communication will be dropped even if it is not Microk8s communication.

Is it possible not to set the above iptables?

Topic		Replies	Views
Rule to drop packets with ctstate INVALID in KUBE-FORWARD chain General Discussions	0	827	December 18, 2021
Configure host interfaces used by MicroK8s microk8s docs , microk8s	1	6132	December 22, 2022
Custom IPtables rules for input chain General Discussions	1	3045	November 13, 2018
What does "--to-destination :0" mean in iptables rules generated by kube-proxy General Discussions network	2	644	September 14, 2023
Kube-apiserver container is down General Discussions	6	4241	September 20, 2022