Kubelet not managing IP tables

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 5f89001f-6dd9-49ff-9b15-d8cd71b617f4

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Networking and Firewall

Learn More

Description

The kubelet argument --make-iptables-util-chains should be set to true. This policy identifies kubelet invocations that explicitly include --make-iptables-util-chains=false (for example in initContainers or containers command arrays) or KubeletConfiguration resources where makeIPTablesUtilChains is set to false. Disabling this option prevents the kubelet from creating required iptables utility chains, which can disrupt network routing and kube-proxy behavior.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet"]
      args: ["--make-iptables-util-chains=true"]
  restartPolicy: OnFailure

{
    "port": 20250,
    "evictionHard": {
        "memory.available": "200Mi"
    },
    "kind": "KubeletConfiguration",
    "makeIPTablesUtilChains": true,
    "serializeImagePulls": false,
    "address": "192.168.0.8",
    "apiVersion": "kubelet.config.k8s.io/v1beta1"
}

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet"]
      args: [""]
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
    memory.available:  "200Mi"
makeIPTablesUtilChains: false

{
    "apiVersion": "kubelet.config.k8s.io/v1beta1",
    "evictionHard": {
        "memory.available": "200Mi"
    },
    "kind": "KubeletConfiguration",
    "makeIPTablesUtilChains": false,
    "port": 20250,
    "serializeImagePulls": false,
    "address": "192.168.0.8"
}

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet"]
      args: ["--make-iptables-util-chains=false"]
  restartPolicy: OnFailure