在 Kubernetes 节点上实现 iptables 规则 [英] Implementing iptables rules on Kubernetes nodes
问题描述
我想在 Kubernetes(kube-proxy)开始发挥它的魔力之前实现我自己的 iptables 规则,并根据在节点上运行的服务/pod 动态创建规则.kube-proxy 在 --proxy-mode=iptables 中运行.
I would like to implement my own iptables rules before Kubernetes (kube-proxy) start doing it's magic and dynamically create rules based on services/pods running on the node. The kube-proxy is running in --proxy-mode=iptables.
每当我在启动节点时尝试加载规则时,例如在 INPUT 链中,Kubernetes 规则(KUBE-EXTERNAL-SERVICES 和 KUBE-FIREWALL) 插入到链的顶部,即使我的规则也带有 -I 标志.
Whenever I tried to load rules when booting up the node, for example in the INPUT chain, the Kubernetes rules (KUBE-EXTERNAL-SERVICES and KUBE-FIREWALL) are inserted on top of the chain even though my rules were also with -I flag.
我遗漏了什么或做错了什么?
What am I missing or doing wrong?
如果它有某种关联,我正在为 pod 网络使用 weave-net 插件.
If it is somehow related, I am using weave-net plugin for the pod network.
推荐答案
最常见的做法是将所有自定义防火墙规则放在网关上(ADC) 或进入云 安全组.集群安全的其余部分由其他功能实现,例如 网络策略(这取决于网络providers),入口、RBAC 和其他.
The most common practice is to put all custom firewall rules on the gateway(ADC) or into cloud security groups. The rest of the cluster security is implemented by other features, like Network Policy (It depends on the network providers), Ingress, RBAC and others.
查看有关保护集群的文章和Kubernetes 安全 - 最佳实践指南.
这些文章也有助于保护您的集群:
These articles can also be helpful to secure your cluster:
这篇关于在 Kubernetes 节点上实现 iptables 规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
