Vulnerability: Don't add generic ACCEPT rules to the filter chain #112
Conversation
|
thanks for raising this @SerialVelocity. This point of view sounds totally reasonable to me. This was introduced to mirror the behavior of Flannel (https://github.com/coreos/flannel/blob/a20edd2cc99b5dbcc2e9b612e8b263b4be92e868/network/iptables.go#L83-L84). I wonder if it's worth raising an issue there as well. |
|
This was originally added to Flannel because of the docker change that broke users so to try and keep backwards compatibility, they decided to add those rules. Flannel actually added a flag to disable this feature because it broke another set of people: Since Kilo doesn't need to be backwards compatible with Docker 1.13, I would suggest having users add these rules themselves if they need it and not touch the filter FORWARD chain as you currently don't add any rules there (especially since Docker is deprecated in Kubernetes). |
|
ACK thanks for the context, I wasn't aware of the Docker deal |
|
🎉 thanks @SerialVelocity for bringing this to light! 🌮 |
#106 added these rules under the assumption that Kilo should automatically allow traffic going from/to the pods.
What this actually did was break all firewalls that are "accept explicit, drop implicit" style and allow all traffic through the firewall.
If a user has configured their firewall to be drop by default, they should add rules like these manually if they want to allow all traffic.
This also breaks network policy controllers that are written/configured this way.