Can Cilium Network Policy be leveraged to blacklist troublesome hosts

January 14, 2020 158 views
Networking Kubernetes

I have been developing a web app living in DO’s managed Kubernetes, and am researching the best way to blacklist Internet ingressed hosts that are an issue. For example, I flag a host as attempting bad authentication attempts too many times. In a VPS hosted environment I would typically do something like run a fail2ban service and let iptables block the hosts based on the fail2ban policies I enable.

In my Kubernetes environment, I have proxy protocol working well, so I can identify hosts that are an issue. What is the best way to actually block those hosts? Is this something I can leverage Cilium Network Policies for, or is there a way to interface with the host system’s iptables?

I am looking for a way I can dynamically (i.e. without a pod/svc restart) block or permit certain hosts at the network layer.

Any help is appreciated,
Thanks

1 Answer

hi there,

You could certainly use networkPolicy objects to enforce rules like you described. Another option would be to use a single LB for an ingress controller and then police the traffic at that point. For example you can whitelist source range for the nginx ingress controller: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!