iptables-init

command
v0.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Command iptables-init installs per-pod NAT rules that redirect outbound TCP traffic on ports 80 and 443 to the paddock-proxy sidecar listening on :15001. Transparent mode, ADR-0013 §7.2.

Runs as a regular (not native) init container with CAP_NET_ADMIN. Exits 0 once the rules are installed (idempotent) — the kubelet then drops NET_ADMIN and starts the rest of the pod. The rules survive for the life of the pod netns.

Exclusions:

  • Traffic owned by any UID in --bypass-uids is RETURN'd. The list must include the proxy UID (1337) plus any sidecar that sends egress the proxy should not intercept: adapter (1338), collector (1339). F-20 / Phase 2h Theme 4.
  • Loopback (127.0.0.0/8) is RETURN'd so the proxy can talk to its own probes / loopback services without looping.
  • RFC1918 + CGNAT RETURN rules were removed in Phase 2h Theme 4 (F-20): agent-originated traffic to in-cluster destinations (broker ClusterIP, kube-apiserver, co-tenant Pod IPs) now gets REDIRECTed to the proxy and enforced via BrokerPolicy.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.