How to control the access to certain Nodeport from external via iptables
We have a lot of services set up by Nodeport and available from external via
It should be a common requirement that I would like to control the access to certain services, which means the requests from some of IPs may access to it, while others not.
We'd like to use
iptables to meet this requirement, which gets a lot of confusion since kubernetes use it to set up communication as well.
Do we have any high-level
guidance to design/create iptable rule to control k8s service?
Specifically, I am confused in below areas:
- Which table should I append rules into? I find that lots of rules in
nat and filterare created by K8s
- If I what to disable the access of service from one external IP to certain node, such as
telnet <node_ip>:<node_port>should I REJECT on
- Do these rules depend on specific network plugins (eg flannel or weave)? Whether different plugins have a different way to config rule or not?
For my scenarios, I have below rules to be set up:
- all nodes in the cluster should have
full accessto each other
- some core services (API) should only be ACCEPT by
- certain services in a port range can be ACCEPT by
- REJECT the access to
any otherservices from all IPs (outside of cluster)
k8s version: 1.9.5 network plugin: weave
1 Answers How to control the access to certain Nodeport from external via iptables
Although you can change iptables on your K8s nodes, I wouldn't recommend making any changes since K8s (kube-proxy) is constantly changing the rules dynamically. In other words, Kubernetes manages (combined with the overlay) manages iptables for you.
Another way of controlling traffic in/out is to use a service-mesh like Istio.