Is netfilter isolation by namespace

I used to think netfilter at the node level, so iptables rule only for node, so istio maybe inject iptable rule with the pod ip on initContainer

but i research chaos-mesh recently, it broken this point, i try to use nsexec

i create a demo pod on node A and execute nsexec -n /proc/xxxxxx/ns/net -l iptables -L, iptable rules is different from node rules

when i try to add a output rule, it is work well, only for this pod

is netfilter isolation by namespace?

Solution

is netfilter isolation by namespace?

Can be done.

...a demo pod on node A and execute nsexec -n /proc/xxxxxx/ns/net -l iptables -L, iptable rules is different from node rules

What happens here is nsexec loads iptables from its own mount namespace and execute it in the pod isolated namespace. As you wished, the pod gets a different iptables rules.

How to access kind control plane port from another docker container?
Multi-Attach error for volume <pvcname> Volume is already exclusively attached to one node and can't be attached to another
How to use git-sync image as a sidecar in kubernetes that git pulls periodically
Manage resources generated by other resources
How to override default chart values in terraform using helm provider?
Minikube "icacls failed applying permissions "
Kubectl error : [memcache.go:265] couldn't get current server API group list
kubectl logs deploy/my-deployment does not show logs from all pods
Kubernetes worker node is NotReady due to CNI plugin not initialized
Couldn't proceed with upgrade process as new nodes are not joining node group standard-workers
Conflicting NetworkPolicies in kubernetes
Why does my GKE cluster not show any events?
Kubernetes NFS Persistent Volumes - multiple claims on same volume? Claim stuck in pending?
Encountering connection problems with PostgreSQL when using psycopg2 on a port that has been forwarded
The connection to the server localhost:8080 was refused
GKE gateway API: Control open ports on default firewall rule
How to use Kubernetes secret object stringData to store base64 encoded privateKey
K8s cluster deployment error: nc: bad address 'xx'
Ingress path redirection, helm chart
fluentd with OpenSearch - where does the @timestamp field come from?
How can I keep a container running on Kubernetes?
kubectl logs displays only 'API server listening at: [::]:40000' when remote debugging with dlv is enabled - How do I get my logs back?
failed calling webhook "vingress.elbv2.k8s.aws"
Kubernetes - Frontend pod can't reach backend pod
How to access Kubernetes API when using minkube?
What is Difference between KubernetesManifest@0 and KubernetesManifest@1 in Yaml pipeline?
kube-prometheus-stack issue scraping metrics
No stdout/stderror output or delayed when running Haskell application in Kubernetes
Is there an imperative command to create daemonsets in kubernetes?
Mongo DB deployment not working in kubernetes because processor doesn't have AVX support