I don't understand what "full k8s support" means, though. Do you want kubelet to write this rule? How would kubelet know what to write?
In a general sense, kubelet is becoming less directly involved in networking, and moving that to plugins. It seems plausible that a plugin might recognize an annotation for dscp class, and setthat rule, but it also seems like a never-ending series of asks. Why not run a daemonset (one pod per node) that watches the API server for pods on that same node with your own annotation, and configures iptables rules. It's a little bit of a startup race, but c'est la vie. :) On Fri, May 27, 2016 at 11:06 AM, Matt Hughes <[email protected]> wrote: > Yes I could run in the host net namespace, but that leaves a bit to be > desired. 1) I know can't run two pods with the same ports on the same host. > 2) I can see how my pod could create the iptables rules, but how do I clean > the rules up prior to my pod being torn down? > > I'll try to restate my use case. Some of my applications need to mark their > outgoing packets with DSCP markers. The iptables rule to do something like > this would be: > > iptables -t mangle -A POSTROUTING -j DSCP --set-dscp-class CS2 -p tcp > -dport 8080 > > > This would apply the CS2 DSCP class on all traffic coming from port 8080. > Ideally, I'd want to lock that down even further to limit it to traffic > coming from my pod's cluster IP. But I don't have access to that within my > pod. > > Another use case for this feature would be simulating different network > speeds. Half your pods get full bandwidth; the other half get throttled to > 5% of the traffic. Perhaps not useful to everyone but a good example of > what could be possible with full k8s support. > > > On Friday, May 27, 2016 at 1:32:57 PM UTC-4, Tim Hockin wrote: >> >> It's not clear what you are asking for. If you just want to >> add/remove iptables rules, you can run in the host net namespace and >> do that (just like kube-proxy does). If you want us to add specific >> hooks that you can attach to, I'd need to hear a lot more >> justification - iptables rules have a cost, andnot every installation >> can use them... >> >> On Fri, May 27, 2016 at 9:14 AM, Matt Hughes <[email protected]> wrote: >> > Is it possible or on the roadmap to have a pod drive the host's firewall >> > settings? I'm talking here about stock k8s, not GCE. >> > >> > My particular use case is I have some pods that need to set DSCP >> > markings >> > (MANGLE table) on their outgoing traffic. Right now, my only solution >> > is to >> > modify iptables on every node in the cluster. I can limit by >> > destination >> > port and other settings but if I were running a truly open cluster, I >> > really >> > wouldn't want to do this. IMO, whether or not to apply those markings >> > should really be driven by the POD/RCS/Deployment definition. Kubeproxy >> > already owns so much of iptables manipulation; it could make very >> > specific >> > rules only marking traffic coming out of a particular pod IP and >> > dynamically >> > add/remove these rules when a pod is created/destroyed. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Containers at Google" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > To post to this group, send email to [email protected]. >> > Visit this group at https://groups.google.com/group/google-containers. >> > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Containers at Google" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/google-containers. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Containers at Google" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-containers. For more options, visit https://groups.google.com/d/optout.
