Skip to content

/ egresstrator

Handle egress rules for docker containers

View license
6 stars 1 fork
Star
Notifications
master
Switch branches/tags
6 branches 5 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
container
 
 
package
 
 
vendor
 
 
.gitignore
 
 
.travis.yml
 
 
LICENSE
 
 
Makefile
 
 
README.md
 
 
egresstrator.go
 
 

README.md

egresstrator

Status

Build Status

What's this egresstrator thing?

Egresstrator will handle and set egress iptables rules for docker containers inside their network namespaces. Egresstrators works by monitoring containers startup events and listening for containers that start with a magic environment variable set: EGRESSTRATOR_ENABLE=1.

If this environment variable is set, egresstrator will start a privileged container and set iptable rules within the container's namespace. By default the provided rule-set will set egress rules only, thus the name!

If egresstrator should be enabled, any keys defined in the environment variable EGRESSTRATOR_ACL=key1,key2 will be set in the namespace.

Rules are defined in Consul's kv.

Rules

Rules will by default be picked up by consul-template from Consul's k/v at: egress/acl/*.

To create rules, make sure the $CONSUL_HTTP_TOKEN has read rights to the path. Then create keys corresponding to the egress traffic rule to be permitted. Rules can have two forms:

  1. An IP address/netmask rule in the form <ip>/<mask>:<proto>/<portdef>. For example:

    10.50.128.0/24:tcp/20000-32000
10.50.128.0/24:tcp/80 
0.0.0.0/0:tcp/8080
10.50.128.0/24:tcp/1337-1600

  2. A reference to a service in Consul's service catalog, in the form <tag>.<service> For example:

    production.postgresql

Any keys found in egress/acl/* that matches EGRESSTRATOR_ACL=key1,key2 will be applied as iptable rules.

Running egresstrator

Egresstrator is best run through systemd, and takes the below options:

NAME:
   egresstrator - Set egress rules in network namespaces.
   Enable egresstrator with EGRESSTRATOR_ENABLE=1 in your container.
   Specify egress rules with EGRESSTRATOR_ACL=myservice,otherservice

USAGE:
   egresstrator [global options] command [command options] [arguments...]

VERSION:
   0.2.0

COMMANDS:
     set      Set egress rules on specified container
     clear    Clear egress rules on specified container
     help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --consul value, -c value        Consul address (default: "127.0.0.1:8500") [$CONSUL_HTTP_ADDR]
   --consul-token value, -t value  Consul token [$CONSUL_HTTP_TOKEN]
   --kv-path value, -k value       Consul K/V path for egress ACL's (default: "egress/acl/") [$CONSUL_PATH]
   --template value, -f value      Custom consul template [$CONSUL_TEMPLATE]
   --image value, -i value         Docker image name
   --ssl                           Use SSL when accessing Consul
   --ssl-ca-cert value             Path to a custom SSL CA cert to use when accessing Consul
   --help, -h                      show help
   --version, -v                   print the version

About

Handle egress rules for docker containers

Resources

Readme

License

View license

Releases 5

0.2.2 Latest
Feb 3, 2017
+ 4 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages