1

According to the docker docs (emphasis mine):

On Linux, Docker manipulates iptables rules to provide network isolation. While this is an implementation detail (...) you should not modify the rules Docker inserts into your iptables policies ...

and

It is possible to set the iptables key to false in the Docker engine’s configuration file at /etc/docker/daemon.json, but this option is not appropriate for most users. It is not possible to completely prevent Docker from creating iptables rules, and creating them after-the-fact is extremely involved and beyond the scope of these instructions. Setting iptables to false will more than likely break container networking for the Docker engine.

The docs do make it rather clear that you shouldn't mess up with these options but they don't give any further information. So, the question is what exactly are the problems of disabling the iptables manipulation by docker? How will that affect running:

I am assumming that container internet connectivity will be handled by setting up NAT rules for docker0 manually, as described e.g. here.

pmav99
  • 1,909
  • 2
  • 20
  • 27
  • In my opinion [here](https://stackoverflow.com/a/40795151/14801225) you can find good explanation. Does it answer your question ? – matt_j Mar 11 '21 at 19:41
  • Thank you @matt_j, nevertheless I think that "setting up internet connectivity for your containers" is possible if you setup nat for `docker0` manually too. E.g. as described [here](https://blog.daknob.net/debian-firewall-docker/) (check the "update"). But you are right, I should mention that in the question. I will edit it. – pmav99 Mar 11 '21 at 20:52

1 Answers1

1

I decided to answer part of the question related to Kubernetes.
Typical Kubernetes network setup relies on third-party tools (CNI plugins) that comply with the Container Network Interface Specification. You can find different Kubernetes networking options in the Kubernetes networking model documentation.

Kubernetes has its own set of iptables rules managed by kube-proxy to do all kinds of filtering and NAT between pods and services. The most important chains are KUBE-SERVICES, KUBE-SVC-* and KUBE-SEP-* (see: Kubernetes networking basics ).

It’s also important to know that Kubernetes doesn't need to use docker default bridge ( docker0), as it uses CNI for network setup. Each Kubernetes CNI plugin works in a bit different way, so it's better to check the detailed concepts in their official documentation.

matt_j
  • 4,010
  • 1
  • 9
  • 23