在pod中使用iptables
时遇到错误:
root@chris-sshuttle-k8stest:~# iptables -t nat -nL
iptables: Operation not supported.
如果我直接使用docker运行镜像,尽管它可以正常运行:
docker run --cap-add=NET_ADMIN -it --rm chrissound/sshuttle-k8stest:v2 /bin/bash
root@e857b0d4152a:/# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
...
另外
capsh --print
的输出是:root@chris-sshuttle-k8stest:~# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=
哪有
net_admin
:root@chris-sshuttle-k8stest:~# capsh --print | grep net_admin
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: chris-sshuttle-k8stest
labels:
name: chris-sshuttle-k8stest
spec:
containers:
- name: sshuttle
image: chrissound/sshuttle-k8stest:v2
command: ["sleep", "10000000"]
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN","NET_RAW"]
额外的调试:
SSH到k8s节点并检查docker容器,一切似乎都是正确的:
$ docker inspect 6f96802d7e13 | grep -B 4 -A 4 NET_AD
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": [
"NET_ADMIN",
"NET_RAW"
],
"CapDrop": null,
"Dns": null,
最佳答案
我试图重现与您完全相同的问题,试图在kubernetes中启用iptables
,但未成功-我无法收到iptables: Operation not supported.
错误,并且几乎没有类似问题。
但是,在这个示例中,我设法使用different docker image使iptables工作:vimagick/iptables
。
使用此图像,您只需要在容器内传递要执行的命令即可。
apiVersion: v1
kind: Pod
metadata:
name: iptables-pod
spec:
containers:
- name: pod
image: vimagick/iptables
command:
- /bin/sh
- -c
- iptables -t nat -nL
securityContext:
capabilities:
add: ["NET_ADMIN"]
该Pod在应用后将其状态更改为
Completed
,因为它仅执行iptables -t nat -nL
命令,但是您可以通过检查pod的日志来检查其是否有效:kubectl logs iptables-pod
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
我还设法通过使用简单的
Ubuntu
图像并安装iptables包使其工作。
关于docker - 调用iptables在docker中导致 “operation not supported”,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60529231/