Custom IPtables rules for input chain

Alperb · November 13, 2018, 3:56pm

Hello,

I’ve been playing with kubernetes for a while now and I would like to start actually using it. A slight problem is that I only have access to baremetal servers without a firewall or VPC so I depend on iptables rules for safeguarding my servers.

Kubernetes adds its own chains and inserts 2 rules at the top of INPUT chain KUBE-EXTERNAL-SERVICES and KUBE-FIREWALL that accepts all requests. If i change the ordering or the source manually it reverts back to how it was when a change or restart happens.

I have no intention of changing any other chains, i just want to filter what goes into those chains. Is it possible to change or update them and not have it reverted? Or is it possible to prevent k8s inserting them at the top?

Or is there any other way that you would suggest to achieve what i want?

I hope i made it clear enough. Thanks

thockin · November 13, 2018, 10:58pm

Currently kube-proxy is purposely putting its chains first. We have had a chat about making hooks so users could trap before and after, but we don’t have a concrete design yet (seems like a simple patch to implement at least for iptables mode).

Topic		Replies	Views
Add Iptables rule to the Kubernetes nodes General Discussions security , network	1	625	December 12, 2022
How do I configure a custom firewall with kubernetes installed? General Discussions	0	440	May 1, 2023
Kubernetes + Docker + iptables General Discussions	0	2587	November 23, 2019
Kube-proxy iptables save/restore impact on large clusters General Discussions network	0	999	May 2, 2022
Kubernetes custom iptables rules General Discussions loadbalancer , service , metallb , network	6	4232	October 4, 2018

Custom IPtables rules for input chain

Related Topics