CODEWITHSUNDEEP
dockerkubernetesiptables
Chris Stryczynski
Chris Stryczynski

Reputation: 34011

Invoking iptables results in "operation not supported" in docker

I'm running into an error when using iptables within a pod:

root@chris-sshuttle-k8stest:~# iptables -t nat -nL
iptables: Operation not supported.

If I run the image directly with docker though it works correctly:

docker run --cap-add=NET_ADMIN -it --rm chrissound/sshuttle-k8stest:v2 /bin/bash
root@e857b0d4152a:/# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
...

In addition the output of capsh --print is:

root@chris-sshuttle-k8stest:~# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

Which does have net_admin:

root@chris-sshuttle-k8stest:~# capsh --print | grep net_admin
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read

pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: chris-sshuttle-k8stest
  labels:
    name: chris-sshuttle-k8stest 
spec:
  containers:
  - name: sshuttle
    image: chrissound/sshuttle-k8stest:v2
    command: ["sleep", "10000000"]
    securityContext:
      privileged: true
      capabilities:
        add: ["NET_ADMIN","NET_RAW"]

Extra debugging:

SSHing to the k8s node and inspecting the docker container everything seems to be correct:

$ docker inspect 6f96802d7e13 | grep -B 4 -A 4 NET_AD
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": [
                "NET_ADMIN",
                "NET_RAW"
            ],
            "CapDrop": null,
            "Dns": null,

Upvotes: 1

Views: 2847

Answers (2)

Chris Stryczynski
Chris Stryczynski

Reputation: 34011

Seems the error is to do with iptables. Big thanks to @KFC_ to investigating this.

Strangely when I ran it again from the python:3.7-slim image after installing iptables: I get extra output:

# iptables -t nat -nL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables: Operation not supported.

Found the solution here: https://github.com/docker/libnetwork/issues/2331

update-alternatives --set iptables /usr/sbin/iptables-legacy

Upvotes: 5

kool
kool

Reputation: 3613

I tried to reproduce your exact same issue trying to enable iptables in kubernetes but unsuccessfully - I couldn't get the iptables: Operation not supported. error and there are very little similar issues.

However, I managed to make iptables work using different docker image, in this example- vimagick/iptables.

Using this image you just need to pass command(s) you want to execute inside the container.

apiVersion: v1
kind: Pod
metadata:
 name: iptables-pod
spec:
 containers:
   - name: pod
     image: vimagick/iptables
     command:
       - /bin/sh
       - -c
       - iptables -t nat -nL
     securityContext:
       capabilities:
         add: ["NET_ADMIN"]

This pod changes it's status to Completed after applying because it only executes iptables -t nat -nL command but you can check it works by checking pod's logs:

kubectl logs iptables-pod

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

I also managed to make it work using simple Ubuntu image and installing iptables package.

Upvotes: 2

Related Questions