K
Q

how to ban network in k8s container?

8/24/2018

how to ban network in k8s container?

I used k8s to exec some third-party code, and it may be unsecure.

So I use two container(A and B) in one pod, A to get code and pass to B container, B to exec it.

To protect our network, I'd like to disable B's network. But I didn't find any method work.

Methods I have tried:

  1. ifconfig eth0 down, ifdown eth0

  2. iptables -P INPUT DROP, iptables -P OUTPUT DROP

Is there any other methods?

UPDATE: finally, I use iptable to disable network of a user, then switch to the user in container B to execute the code.

Notice: As the network namespace of the two container is the same, iptable rules will take effect in the two container.

-- Zhou
docker
ifconfig
iptables
kubernetes
ubuntu

Similar Questions

Does Kubernetes support ejabberd?
Spring boot log secret.yaml from helm
services is forbidden: User \"system:anonymous\" cannot list services in the namespace \"kube-system\
Kubelet could not register to master after the hostname changed

2 Answers

8/24/2018

https://cilium.io/ Check this project, it allows you to do things like you mention. It allows you to define application-layer and network-layer policies based on the container/pod identity. The demo that is on their page does exactly what your trying to do.

-- Miguel Medina
Source: StackOverflow
8/24/2018

Better not touch the Iptable rules which may cause network connectivity issues in K8s. Try Network Policy in K8s to isolate the pod, kind of disabling network for pods. It is like disabling the network for container in docker

UPDATE

Also I understood that the pod contains 2 containers(A&B). I think, it not possible to disable networking only for container B in that pod.

-- Veerendra Kakumanu
Source: StackOverflow