Kubernetes节点防火墙

lstz6jyr 于 2022-12-29 发布在 Kubernetes

关注(0)|答案(1)|浏览(204)

自我管理的裸机Kubernetes工作节点正在使用NodePort（使用NodePort是有原因的）进行传入流量。我需要只允许传入连接到NodePort端口。
这是我所做的，它是工作，但它不是理想的Calico和kube代理也使用iptables：

iptables -I INPUT 1 -i eth1 -p tcp ! --dport 443 -j DROP
iptables -I INPUT 1 -i eth1 -p udp -j DROP
iptables -I INPUT 1 -i eth1 -p icmp -j DROP

这是我尝试与印花布，它是行不通的：

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node1-eth1
  labels:
    role: k8s-worker
    environment: production
spec:
  interfaceName: eth1
  node: node1
  ports:
    - name: https
      port: 443
      protocol: TCP

是否有可能实现与印花布或添加iptables规则是唯一的解决方案在这种情况下？

kubernetes

来源：https://stackoverflow.com/questions/70957785/kubernetes-node-firewall

1条答案

按热度按时间

guicsvcw1#

这是我的工作配置：

apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
  name: default
spec:
  bpfLogLevel: ""
  ipipEnabled: true
  logSeverityScreen: Info
  reportingInterval: 0s
  FailsafeInboundHostPorts: []

---

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node1-eth1
  labels:
    role: worker-ext
spec:
  interfaceName: eth1
  node: node1

---

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: inbound-external
spec:
  selector: role == 'worker-ext'
  preDNAT: true
  applyOnForward: true
  order: 1
  types:
    - Ingress

  ingress:
    - action: Deny
      protocol: TCP
      destination:
        ports: [22, 68]

    - action: Allow
      protocol: TCP
      destination:
        ports: [443]

---

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-outbound-external
spec:
  selector: role == 'worker-ext'
  applyOnForward: true
  types:
    - Egress
  egress:
    - action: Allow

赞(0）回复(0）举报 2022-12-29

我来回答

Kubernetes节点防火墙

1条答案

相关问题

热门标签

最新问答