如何在k8s容器中禁止网络?
[英]how to ban network in k8s container?
问题描述
how to ban network in k8s container? 
如何在k8s容器中禁止网络?
I used k8s to exec some third-party code, and it may be unsecure. 我使用k8s执行一些第三方代码,它可能是不安全的。
So I use two container(A and B) in one pod, A to get code and pass to B container, B to exec it. 因此,我在一个容器中使用了两个容器(A和B),A来获取代码并传递给B容器,B来执行它。
To protect our network, I'd like to disable B's network. 为了保护我们的网络,我想禁用B的网络。 But I didn't find any method work. 但是我没有找到任何有效的方法。
Methods I have tried: 我尝试过的方法:
ifconfig eth0 down, ifdown eth0
ifconfig eth0向下,ifdown eth0 iptables -P INPUT DROP, iptables -P OUTPUT DROP
iptables -P INPUT DROP,iptables -P OUTPUT DROP
Is there any other methods? 还有其他方法吗?
UPDATE: finally, I use iptable to disable network of a user, then switch to the user in container B to execute the code. 更新:最后,我使用iptable禁用用户的网络,然后切换到容器B中的用户以执行代码。
Notice: As the network namespace of the two container is the same, iptable rules will take effect in the two container. 注意:由于两个容器的网络名称空间相同,因此iptable规则将在两个容器中生效。
2 个解决方案
解决方案1
1 2018-08-24 12:12:40
Better not touch the Iptable rules which may cause network connectivity issues in K8s. 最好不要触摸可能会导致K8s网络连接问题的Iptable规则。 Try Network Policy in K8s to isolate the pod, kind of disabling network for pods. 尝试在K8s中使用网络策略来隔离Pod,这是对Pod禁用的网络。 It is like disabling the network for container in docker 就像在docker中禁用容器的网络一样
UPDATE UPDATE
Also I understood that the pod contains 2 containers(A&B). 我也知道豆荚包含2个容器(A&B)。 I think, it not possible to disable networking only for container B in that pod. 我认为,不可能仅禁用该容器中容器B联网。
解决方案2
0 2018-08-24 16:06:17
https://cilium.io/ Check this project, it allows you to do things like you mention. https://cilium.io/选中此项目,它可以使您执行提及的操作。 It allows you to define application-layer and network-layer policies based on the container/pod identity. 它允许您基于容器/容器标识定义应用程序层和网络层策略。 The demo that is on their page does exactly what your trying to do. 他们页面上的演示完全可以完成您的尝试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.