Kubernetes custom iptables rules

metallb
service
loadbalancer
network

#1

Hi,
Is it possible to add custom iptables NAT rules in kubernetes ?


#2

This question came up in office hours yesterday. :slight_smile:

Here’s a link to the timestamp where it did:

Hope this helps!

-Jeff


#3

Thanks jeefy


#4

Ip tables was mentioned at about 46:20 in the video.

Basic advise was don’t do it. If you feel you need it we should discuss it here.

@jeefy
My use case for this is I would like to expose a port that is not in the Node port range and i would like to create a nat redirect from port X (Outside NodePort range) to port Y (inside the NodePort range). So any advise on this one would be great. I have firewalls upstream I do not control and the ports available are limited and adding the NodePort range gets denied by the controlling party. I didn’t want to change my NodePort range to include the port as that would create a Non-continuous range and I don’t believe that is allowed.

for reference api-doc for node-port-range:

–service-node-port-range portRange Default: 30000-32767
A port range to reserve for services with NodePort visibility. Example: ‘30000-32767’. Inclusive at both ends of the range.


#5

What you describe with a custom rule should be able to do what you
want. Is NodePort the best abstraction? Remember that NodePort is on
every node, so it is a very finite resource.


#6

Have you looked into metallb as an on prem provider for service type LoadBalancer? You could assign it an ip pool and expose the explicit ports that you’d like.


#7

Just reviewed the project and I believe it would cover my use case of bypassing the Node-ports.

Thanks,