K
Q

Implementing iptables rules on Kubernetes nodes

8/15/2018

I would like to implement my own iptables rules before Kubernetes (kube-proxy) start doing it's magic and dynamically create rules based on services/pods running on the node. The kube-proxy is running in --proxy-mode=iptables.

Whenever I tried to load rules when booting up the node, for example in the INPUT chain, the Kubernetes rules (KUBE-EXTERNAL-SERVICES and KUBE-FIREWALL) are inserted on top of the chain even though my rules were also with -I flag.

What am I missing or doing wrong?

If it is somehow related, I am using weave-net plugin for the pod network.

-- Luminance
iptables
kube-proxy
kubernetes

Similar Questions

kubectl port-forward reports `error: error upgrading connection: unable to upgrade connection: pod does not exist`
Which names should be same in this k8s yaml
Kubernetes NFS server pod mount works with pod ip but not with kubernetes service
Exposing Istio Ingress Gateway as NodePort to GKE and run health check

1 Answer

8/16/2018

The most common practice is to put all custom firewall rules on the gateway(ADC) or into cloud security groups. The rest of the cluster security is implemented by other features, like Network Policy (It depends on the network providers), Ingress, RBAC and others.

Check out the articles about Securing a Cluster and Kubernetes Security - Best Practice Guide.

These articles can also be helpful to secure your cluster:

-- VAS
Source: StackOverflow