1

I have two pods running on Kubernetes. To simplify lets called them A and B. The A is an application which makes HTTP requests. The B is a proxy running in the transparent mode. The questions is how should I alter iptables rules so the traffic coming out from the A goes through the B pod??

    NAME                  TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE
    A (application)       NodePort    10.109.208.35    <none>        8090:31000/TCP                  3d6h
    B (transparent proxy) NodePort    10.98.102.253    <none>        8080:32226/TCP                  3h33m

I have tried the following but it doesn't work. Can someone help me to sort it out?

sudo iptables -t nat -D PREROUTING -p tcp --dport 31000 -j REDIRECT --to 32226
uiguyf ufdiutd
  • 142
  • 1
  • 10

1 Answers1

2

You can achieve such a behavior by using a service mesh such as Linkerd or Istio and using egress capabilities.

Also, I am pretty sure that it's not a good idea to alter the iptables because of the following: 1. iptables are autoprovisioned by Kubernetes and have a complex model. 2. once the cluster will be rebooted, the rules set in the iptables can be lost and you won't know what did you do.

Another solution, rather than using a service mesh is to use a sidecar proxy such as Envoy. Anyway, you should make this kind of coupling explicit for the rest of the team who is working with you on this. Otherwise, someone will troubleshoot why the traffic from A goes through B. It's not a pattern that I've seen before and for me it seems to be more like an antipattern.

Dina Bogdan
  • 4,345
  • 5
  • 27
  • 56
  • Thank you @Dina Bogdan for your very detailed answer and your expertise. Is there a way to create iptable rules inside a single pod? The thing I am struggling with is that I have lots of microservices and I need to authenticate HTTP request coming out of them. Since I cannot alter their code directly I need to somehow alter the traffic, to add authentication token to the HTTP request header, that's why I am using a transparent proxy to intercept that traffic. And I just don't know how to force my traffic to go through proxy. – uiguyf ufdiutd Apr 27 '20 at 18:21