Custom IPtables rules for input chain


#1

Hello,

I’ve been playing with kubernetes for a while now and I would like to start actually using it. A slight problem is that I only have access to baremetal servers without a firewall or VPC so I depend on iptables rules for safeguarding my servers.

Kubernetes adds its own chains and inserts 2 rules at the top of INPUT chain KUBE-EXTERNAL-SERVICES and KUBE-FIREWALL that accepts all requests. If i change the ordering or the source manually it reverts back to how it was when a change or restart happens.

I have no intention of changing any other chains, i just want to filter what goes into those chains. Is it possible to change or update them and not have it reverted? Or is it possible to prevent k8s inserting them at the top?

Or is there any other way that you would suggest to achieve what i want?

I hope i made it clear enough. Thanks


#2

Currently kube-proxy is purposely putting its chains first. We have had a chat about making hooks so users could trap before and after, but we don’t have a concrete design yet (seems like a simple patch to implement at least for iptables mode).