A basic Network Policy controller for your Kubernetes deployment.
Enforces ingress network policy using iptables. The controller is run on each Node as a daemonset.
- For each selected pod, create a chain in the filter table with a default REJECT policy
- Create rules in the FORWARD chain to intercept packets destined to pods selected by network policies. These packets are sent to the chains created in (1)
- Check the source ip and destination port of the packet: if it matches the ingress rule selector and destination port, ACCEPT it.
- A running Kubernetes 1.4+ cluster, preferably on AWS. Only tested with the [Kubenet] (http://kubernetes.io/docs/admin/network-plugins/#kubenet) network plugin
- Deploy the controller as a daemonset in the
kube-systemnamespace
kubectl --namespace=kube-system create -f mgr-daemonset.yaml
maketo build;make controller_linuxif you are on Mac/Win to cross compile to linuxmake containercross compiles to Linux and builds a container in my namespace.- Test locally (e.g., on the Kubernetes API server) by
- running a kubectl proxy :
kubectl proxy --api-prefix=/ - running
sudo NODE_NAME=<some node name> make run
- running a kubectl proxy :
- Use [IPSet] (http://ipset.netfilter.org/) instead of multiple iptables rules to match source ip of packets
- Ports in the Ingress policy can be names: handle this (assumes Integer right now)
- Delete rules that are obsoleted by changes to policies/pods selectively instead of flushing the IPtables chain. This should automatically be the case if IPSets are used
- According to the NetworkPolicy documentation, ("DefaultDeny: Pods in the namespace will be inaccessible from any source except the pod’s local node. ") ingress rules do not apply to traffic originating from the same host. Not sure why this should be the case. This controller will block traffic even originating on the same host if it does not match any rule.