Casey Callendrello 8bed088224 kubelet: block non-forwarded packets from crossing the localhost boundary ...

We set route_localnet so that host-network processes can connect to
<127.0.0.1:NodePort> and it still works. This, however, is too
permissive.

So, block martians that are not already in conntrack.

See: #90259
Signed-off-by: Casey Callendrello <cdc@redhat.com>

2020-05-29 17:35:50 +02:00

6.3 KiB

Raw Blame History

View Raw