box/kube-iptables-tailer

Setup iptables Log Prefix automatically

benmathews opened this issue · 4 comments

benmathews commented

Manually adding these iptables entries is a difficult requirement. It would be great if kube-proxy could create these logging entries directly.

vbvkel commented

I think this issue is better suited for the Kubernetes repo as an improvement suggestion as that is where kube-proxy is actually maintained. You can check out some kube-proxy related issues on that repo on these links - Link 1 and Link 2.

Maybe kube-iptables-tailer can be made to set those up automatically as well. That's also an option.

In the meantime, if you want to set them up automatically you can add a script to the cloud init of your instances that does exactly that.

In any case, updating the iptables of Kubernetes nodes is a bit tricky since the kube-proxy executes iptables-restore on a regular basis. What you can do there is add the extra configuration for the logs in the file that it restores the iptables from.

Succes 😃

  • 👍1
dilyar85 commented

Hi @benmathews! Thanks for your interest in this project.

As @vbvkel mentioned in the above comment, Kubernetes repo might be a better place for addressing your suggestion on using kube-proxy to directly create iptables entries. Currently, kube-iptables-tailer focuses on detecting packet drops and reporting them as Kubernetes events based on your configured iptables rules.

Please let us know if you have any further concerns.

benmathews commented

Thanks for the suggestions. I added kubernetes/kubernetes#77299

vbvkel commented

This is not a simple discussion. 🤔

In your original comment, @benmathews, you mentioned that you wanted kube-proxy to be the component responsible for adding the log rules to iptables. I referenced you to the Kubernetes repo since that is where kube-proxy is maintained. I should have added a question in that comment if that is a good idea. As mentioned by @caseydavenport in kubernetes/kubernetes#77299 this sort of functionality is not necessarily in the scope of kube-proxy. If adding user- or component-specified extra iptables rules should be in scope or not is an entirely different discussion.

Here we could conclude that kube-iptables-tailer should be able to add those rules itself (since it is the one needing them). However, this raises a different set of questions such as do we want to give 3rd party tools access to the nodes running the Kubernetes cluster.