Kubelet not managing IP tables
This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 5f89001f-6dd9-49ff-9b15-d8cd71b617f4
Cloud Provider: k8s
Framework: Kubernetes
Severity: Medium
Category: Networking and Firewall
Learn More
Description
The kubelet argument --make-iptables-util-chains should be set to true.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: foo/bar
command: ["kubelet"]
args: ["--make-iptables-util-chains=true"]
restartPolicy: OnFailure
{
"port": 20250,
"evictionHard": {
"memory.available": "200Mi"
},
"kind": "KubeletConfiguration",
"makeIPTablesUtilChains": true,
"serializeImagePulls": false,
"address": "192.168.0.8",
"apiVersion": "kubelet.config.k8s.io/v1beta1"
}
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: foo/bar
command: ["kubelet"]
args: [""]
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
memory.available: "200Mi"
makeIPTablesUtilChains: false
{
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"evictionHard": {
"memory.available": "200Mi"
},
"kind": "KubeletConfiguration",
"makeIPTablesUtilChains": false,
"port": 20250,
"serializeImagePulls": false,
"address": "192.168.0.8"
}
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: foo/bar
command: ["kubelet"]
args: ["--make-iptables-util-chains=false"]
restartPolicy: OnFailure
