New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to control the access to certain Nodeport from external via iptables #71810

Open
Cherishty opened this Issue Dec 6, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@Cherishty

Cherishty commented Dec 6, 2018

We have a lot of services set up by Nodeport and available from external via <node_ip>:<node_port> .

It should be a common requirement that I would like to control the access to certain services, which means the requests from some of IPs may access to it, while others not.

We'd like to use iptables to meet this requirement, which gets a lot of confusion since kubernetes use it to setup communication as well.
Do we have any high-level guidance to design/create iptable rule to control k8s service?

Specifically, I am confused in below area

  1. which table should I append rules into ? I find that lots of rules in nat and filter are created by k8s
  2. if I what to disable the access of service from one external ip to certain node, such as
    telnet <node_ip>:<node_port>
    should I REJECT on FORWARD or INPUT, or PREROUTING directly ?
  3. does these rule depend on specific network plugins (eg flannel or weave) ? Whether different plugins have different way to config rule or not?

For my senarios, I have below rules to be set up:

  1. all nodes in cluster should have full access to each other
  2. some core services (API) should only be ACCEPT by certain IPs
  3. certain services in a port range can be ACCEPT by all IPs
  4. REJECT the access to any other services from all IPs (outside of cluster)

k8s version: 1.9.5
network plugin: weave

Best Regards!

/triage support

@Cherishty

This comment has been minimized.

Cherishty commented Dec 6, 2018

/sig network

@k8s-ci-robot k8s-ci-robot added sig/network and removed needs-sig labels Dec 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment