Description
Description
I would like to extend this filter:
lima/pkg/guestagent/iptables/iptables.go
Line 32 in 600f342
It's probably a process to prevent unintended port forwarding.
Usecase
My usecase is to access the NodePort service on Kubernetes run on lima.
Pod containers using hostPort are set up with a CNI-DN- * chain by CNI plugin, so automatic port forwarding works without any change.
However, actually using hostPort is painful. It makes replicas of pods will not work.
In a basic k8s configuration, using NodePort updates iptables.
For example, when exposing port 80 of nginx container with NodePort: 30010, just a related chain:
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx-nodeport" -m tcp --dport 30010 -j KUBE-EXT-CGFVTWEXQTKV5QXW
-A KUBE-EXT-CGFVTWEXQTKV5QXW -m comment --comment "masquerade traffic for default/nginx-nodeport external destinations" -j KUBE-MARK-MASQ
-A KUBE-EXT-CGFVTWEXQTKV5QXW -j KUBE-SVC-CGFVTWEXQTKV5QXW
-A KUBE-SVC-CGFVTWEXQTKV5QXW ! -s 10.244.0.0/16 -d 10.102.188.3/32 -p tcp -m comment --comment "default/nginx-nodeport cluster IP" -m tcp --dport 8000 -j KUBE-MARK-MASQ
-A KUBE-SVC-CGFVTWEXQTKV5QXW -m comment --comment "default/nginx-nodeport -> 10.244.0.159:80" -j KUBE-SEP-4HC2IE63VSQQECKY
-A KUBE-SEP-4HC2IE63VSQQECKY -s 10.244.0.159/32 -m comment --comment "default/nginx-nodeport" -j KUBE-MARK-MASQ
-A KUBE-SEP-4HC2IE63VSQQECKY -p tcp -m comment --comment "default/nginx-nodeport" -m tcp -j DNAT --to-destination 10.244.0.159:80
In this case, automatic port forwarding does not work because the CNI-DN-* is not published. However, KUBE-NODEPORTS acts as a DNAT to the target port of the container. If this is included for the targets of port forwarding, we can achieve access to containers on kubernetes with port forwarding without interfering with the replication of pods running.
I find this very convenient. Would you please consider adding it to your hard-coded or making the rules you want to filter configurable? Thanks!