I would like to implement my own iptables rules before Kubernetes (kube-proxy) start doing it's magic and dynamically create rules based on services/pods running on the node. The kube-proxy is running in --proxy-mode=iptables
.
Whenever I tried to load rules when booting up the node, for example in the INPUT
chain, the Kubernetes rules (KUBE-EXTERNAL-SERVICES
and KUBE-FIREWALL
) are inserted on top of the chain even though my rules were also with -I
flag.
What am I missing or doing wrong?
If it is somehow related, I am using weave-net plugin for the pod network.
The most common practice is to put all custom firewall rules on the gateway(ADC) or into cloud security groups. The rest of the cluster security is implemented by other features, like Network Policy (It depends on the network providers), Ingress, RBAC and others.
Check out the articles about Securing a Cluster and Kubernetes Security - Best Practice Guide.
These articles can also be helpful to secure your cluster:
来源:https://stackoverflow.com/questions/51857978/implementing-iptables-rules-on-kubernetes-nodes