aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIanB <IanB@amdocs.com>2018-10-29 15:05:30 +0000
committerIanB <IanB@amdocs.com>2018-10-29 15:31:48 +0000
commit125257739ceda7d01be1d6fa4b56bf4764c9ef9f (patch)
treeb96cc68ffba4c6c72adbffea0d868e1cbbe6a339
parent16b2d4d78ac172b01e5e68d088390136b572d09e (diff)
Route Incoming TCP Traffic Via the Reverse Proxy
By default any container is accessible from any pod inside a Kubernetes cluster. It is therefore possible to send requests directly to the primary microservice even if sidecar security is enabled. An additional netfilter rule will redirect any incoming TCP requests to the Reverse Proxy. The Reverse Proxy service listens on the hard coded port (10692) Issue-ID: AAF-591 Change-Id: I9afccadb08add4312cef770221702942d811cbdd Signed-off-by: IanB <IanB@amdocs.com>
-rw-r--r--sidecar/tproxy-config/src/main/bin/start.sh2
1 files changed, 2 insertions, 0 deletions
diff --git a/sidecar/tproxy-config/src/main/bin/start.sh b/sidecar/tproxy-config/src/main/bin/start.sh
index 758a910..054be93 100644
--- a/sidecar/tproxy-config/src/main/bin/start.sh
+++ b/sidecar/tproxy-config/src/main/bin/start.sh
@@ -22,6 +22,8 @@
set -x
set -eo pipefail
+iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-port 10692
+
iptables -t nat -A OUTPUT -p tcp -j ACCEPT -s 127.0.0.1 --dport 61647
iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9042
iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9160