docker - 调用iptables在docker中导致 “operation not supported”

Question

在pod中使用iptables时遇到错误:

root@chris-sshuttle-k8stest:~# iptables -t nat -nL
iptables: Operation not supported.

如果我直接使用docker运行镜像，尽管它可以正常运行:

docker run --cap-add=NET_ADMIN -it --rm chrissound/sshuttle-k8stest:v2 /bin/bash
root@e857b0d4152a:/# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
...

另外capsh --print的输出是:

root@chris-sshuttle-k8stest:~# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

哪有net_admin:

root@chris-sshuttle-k8stest:~# capsh --print | grep net_admin
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read

pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: chris-sshuttle-k8stest
  labels:
    name: chris-sshuttle-k8stest 
spec:
  containers:
  - name: sshuttle
    image: chrissound/sshuttle-k8stest:v2
    command: ["sleep", "10000000"]
    securityContext:
      privileged: true
      capabilities:
        add: ["NET_ADMIN","NET_RAW"]

额外的调试:

SSH到k8s节点并检查docker容器，一切似乎都是正确的:

$ docker inspect 6f96802d7e13 | grep -B 4 -A 4 NET_AD
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": [
                "NET_ADMIN",
                "NET_RAW"
            ],
            "CapDrop": null,
            "Dns": null,

Answer 1

我试图重现与您完全相同的问题，试图在kubernetes中启用iptables，但未成功-我无法收到iptables: Operation not supported.错误，并且几乎没有类似问题。

但是，在这个示例中，我设法使用different docker image使iptables工作:vimagick/iptables。

使用此图像，您只需要在容器内传递要执行的命令即可。

apiVersion: v1
kind: Pod
metadata:
 name: iptables-pod
spec:
 containers:
   - name: pod
     image: vimagick/iptables
     command:
       - /bin/sh
       - -c
       - iptables -t nat -nL
     securityContext:
       capabilities:
         add: ["NET_ADMIN"]

该Pod在应用后将其状态更改为Completed，因为它仅执行iptables -t nat -nL命令，但是您可以通过检查pod的日志来检查其是否有效:

kubectl logs iptables-pod

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

我还设法通过使用简单的Ubuntu图像并安装iptables包使其工作。