1

Can I modify and use /etc/host.allow file or something similar to restrict the outgoing (egress) calls from my kubernetes pods. If there is intermediate lookup happening while making an egress call from pod to external domain(lets say google.com), then I should be able to use hosts.allow kind of config to control and restrict the access of outgoing calls?
For example I want to allow google.com and block gitHub.com.

Note: I see in my default pods that coredns pod is already present with image: rancher/coredns-coredns:1.8.3. I understand that it comes default with k3s.

PS: I have already explored calico and other external (third party) network policy but they are not fulfilling my requirement.

solveit
  • 265
  • 1
  • 4
  • 12
  • Hello @solveit. What have you tried already? – Wytrzymały Wiktor Jul 06 '21 at 09:52
  • 1. In Calico "The restricted egress calls based on domain" is falling under Calico-enterprise , which is paid 2. In cilium, some complications in setup for multiple clusters compared to other CNI so couldn't use that. 3. There is no such in-built feature in K3s network policy where egress calls can be restricted based on domain. Eg: allow google.com & block gitHub.com. 4. Coredns ACL plugin https://coredns.io/plugins/acl/#examples is for DNS queries and not for domains, so cant use this as well. 5. K3S DNS service also doesn't provide any such solution. All these things I have tried. – solveit Jul 06 '21 at 10:48

0 Answers0