Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

egresstrator

Status

Build Status

What's this egresstrator thing?

Egresstrator will handle and set egress iptables rules for docker containers inside their network namespaces. Egresstrators works by monitoring containers startup events and listening for containers that start with a magic environment variable set: EGRESSTRATOR_ENABLE=1.

If this environment variable is set, egresstrator will start a privileged container and set iptable rules within the container's namespace. By default the provided rule-set will set egress rules only, thus the name!

If egresstrator should be enabled, any keys defined in the environment variable EGRESSTRATOR_ACL=key1,key2 will be set in the namespace.

Rules are defined in Consul's kv.

Rules

Rules will by default be picked up by consul-template from Consul's k/v at: egress/acl/*.

To create rules, make sure the $CONSUL_HTTP_TOKEN has read rights to the path. Then create keys corresponding to the egress traffic rule to be permitted. Rules can have two forms:

  1. An IP address/netmask rule in the form <ip>/<mask>:<proto>/<portdef>. For example:

    10.50.128.0/24:tcp/20000-32000
    10.50.128.0/24:tcp/80 
    0.0.0.0/0:tcp/8080
    10.50.128.0/24:tcp/1337-1600
    
  2. A reference to a service in Consul's service catalog, in the form <tag>.<service> For example:

    production.postgresql
    

Any keys found in egress/acl/* that matches EGRESSTRATOR_ACL=key1,key2 will be applied as iptable rules.

Running egresstrator

Egresstrator is best run through systemd, and takes the below options:

NAME:
   egresstrator - Set egress rules in network namespaces.
   Enable egresstrator with EGRESSTRATOR_ENABLE=1 in your container.
   Specify egress rules with EGRESSTRATOR_ACL=myservice,otherservice

USAGE:
   egresstrator [global options] command [command options] [arguments...]

VERSION:
   0.2.0

COMMANDS:
     set      Set egress rules on specified container
     clear    Clear egress rules on specified container
     help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --consul value, -c value        Consul address (default: "127.0.0.1:8500") [$CONSUL_HTTP_ADDR]
   --consul-token value, -t value  Consul token [$CONSUL_HTTP_TOKEN]
   --kv-path value, -k value       Consul K/V path for egress ACL's (default: "egress/acl/") [$CONSUL_PATH]
   --template value, -f value      Custom consul template [$CONSUL_TEMPLATE]
   --image value, -i value         Docker image name
   --ssl                           Use SSL when accessing Consul
   --ssl-ca-cert value             Path to a custom SSL CA cert to use when accessing Consul
   --help, -h                      show help
   --version, -v                   print the version

About

Handle egress rules for docker containers

Resources

License

Packages

No packages published