mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-11-30 17:31:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

intercept pod egress traffic going through the OUTPUT chain of filter table and run through the (#875)

Browse Source 
network policies.

Fixes #609
This commit is contained in:
Murali Reddy 2020-04-15 16:34:25 +05:30 committed by GitHub
parent 4c764f5486
commit b5e9bd3069
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/controllers/netpol/network_policy_controller.go
View File

@ -879,7 +879,8 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
} }
// ensure there is rule in filter table and FORWARD chain to jump to pod specific firewall chain // ensure there is rule in filter table and FORWARD chain to jump to pod specific firewall chain
// this rule applies to the traffic getting routed (coming for other node pods) // this rule applies to the traffic getting forwarded/routed (traffic from the pod destinted
// to pod on a different node)
comment = "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace + comment = "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace +
" to chain " + podFwChainName " to chain " + podFwChainName
args = []string{"-m", "comment", "--comment", comment, "-s", pod.ip, "-j", podFwChainName} args = []string{"-m", "comment", "--comment", comment, "-s", pod.ip, "-j", podFwChainName}
@ -894,6 +895,23 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
} }
} }
// ensure there is rule in filter table and OUTPUT chain to jump to pod specific firewall chain
// this rule applies to the traffic getting proxied (traffic from the pod accessing service
// resulting in traffic DNAT'ed to a pod IP)
comment = "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace +
" to chain " + podFwChainName
args = []string{"-m", "comment", "--comment", comment, "-s", pod.ip, "-j", podFwChainName}
exists, err = iptablesCmdHandler.Exists("filter", "OUTPUT", args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
if !exists {
err := iptablesCmdHandler.Insert("filter", "OUTPUT", 1, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
// ensure there is rule in filter table and forward chain to jump to pod specific firewall chain // ensure there is rule in filter table and forward chain to jump to pod specific firewall chain
// this rule applies to the traffic getting switched (coming for same node pods) // this rule applies to the traffic getting switched (coming for same node pods)
comment = "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace + comment = "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace +