We have a lot of services set up by Nodeport and available from external via <node_ip>:<node_port>.

It should be a common requirement that I would like to control the access to certain services, which means the requests from some of IPs may access to it, while others not.

We'd like to use iptables to meet this requirement, which gets a lot of confusion since kubernetes use it to set up communication as well. Do we have any high-level guidance to design/create iptable rule to control k8s service?

Specifically, I am confused in below areas:

1. Which table should I append rules into? I find that lots of rules in nat and filter are created by K8s
2. If I what to disable the access of service from one external IP to certain node, such as telnet <node_ip>:<node_port> should I REJECT on FORWARD or INPUT, or PREROUTING directly?
3. Do these rules depend on specific network plugins (eg flannel or weave)? Whether different plugins have a different way to config rule or not?

For my scenarios, I have below rules to be set up:

1. all nodes in the cluster should have full accessto each other
2. some core services (API) should only be ACCEPT by certain IPs
3. certain services in a port range can be ACCEPT by all IPs
4. REJECT the access to any other services from all IPs (outside of cluster)

k8s version: 1.9.5 network plugin: weave

Best Regards!

/triage support