The kube-restrict-ip configures
iptables rules to restrict access to specified ports of the Kubernetes nodes to defined set of IP addresses.
It creates an
iptables app chain called
KUBE-RESTRICT-IP (could be configured), which contains match rules for user-specified IP addresses (hosts and CIDR ranges). It also creates a rule in
INPUT that jumps to app chain for any traffic bound to restricted ports. All IPs that not match the rules in the app chain are rejected.
Launching as a DaemonSet
This repo includes an example yaml file that can be used to launch the kube-restrict-ip as a DaemonSet in a Kubernetes cluster.
kubectl create -f kube-restrict-ip.yaml
The spec in
kube-restrict-ip.yaml specifies the
kube-system namespace for the DaemonSet Pods.
Command Line Options
--allowed-networks strings allowed networks -t, --check-interval duration config file update check interval (default 60s) -c, --config-file string config file name to watch (implied 'once' if omitted) -h, --help help for kube-restrict-ip --ip-chain string iptables chain name (default "KUBE-RESTRICT-IP") --once run once and exit --restricted-ports strings restricted ports -v, --v Level log level for V logs -V, --version display the build number and timestamp
kube-restrict-ip looks for YAML or JSON configuration file specified by
--config-file command line option.
Config file keys:
restrictedPorts int: A list restricted TCP ports (required).
allowedNetworks string: A list allowed networks in CIDR notation (required).
ipChain string: iptables chain name (optional, default "KUBE-RESTRICT-IP").
checkInterval string: The interval to check config for updates (optional, default 60s). The syntax is any format accepted by Go's time.ParseDuration function.
The docker image of kube-restrict-ip will look for a config file in its container at
/etc/kube-restrict-ip/config.yaml. This file can be provided via a
ConfigMap, so it can be reconfigured in a live cluster by creating or editing this
This repo includes an example config file that could be used to create the
ConfigMap in your cluster:
kubectl create configmap kube-restrict-ip --from-file=config.yaml --namespace=kube-system
Please note that the
ConfigMap in the same namespace as the DaemonSet Pods, and named the
kube-restrict-ip to match the DaemonSet spec. This is necessary for the
ConfigMap to appear in the Pods' filesystems.
- Fork it
- Create your feature branch (
git checkout -b my-new-feature)
- Commit your changes (
git commit -am 'Add some feature')
- Push to the branch (
git push origin my-new-feature)
- Create new Pull Request
kube-restrict-ip is released under the Apache 2.0 license. See LICENSE.txt