Kubernetes custom iptables rules



Is it possible to add custom iptables NAT rules in kubernetes ?


This question came up in office hours yesterday. :slight_smile:

Here’s a link to the timestamp where it did:

Hope this helps!



Thanks jeefy


Ip tables was mentioned at about 46:20 in the video.

Basic advise was don’t do it. If you feel you need it we should discuss it here.

My use case for this is I would like to expose a port that is not in the Node port range and i would like to create a nat redirect from port X (Outside NodePort range) to port Y (inside the NodePort range). So any advise on this one would be great. I have firewalls upstream I do not control and the ports available are limited and adding the NodePort range gets denied by the controlling party. I didn’t want to change my NodePort range to include the port as that would create a Non-continuous range and I don’t believe that is allowed.

for reference api-doc for node-port-range:

–service-node-port-range portRange Default: 30000-32767
A port range to reserve for services with NodePort visibility. Example: ‘30000-32767’. Inclusive at both ends of the range.


What you describe with a custom rule should be able to do what you
want. Is NodePort the best abstraction? Remember that NodePort is on
every node, so it is a very finite resource.


Have you looked into metallb as an on prem provider for service type LoadBalancer? You could assign it an ip pool and expose the explicit ports that you’d like.


Just reviewed the project and I believe it would cover my use case of bypassing the Node-ports.