Skip to content

Commit 371481b

Browse files
QxBytesQxBytes
committed
update readme
1 parent 8c8efc1 commit 371481b

File tree

1 file changed

+10
-6
lines changed

1 file changed

+10
-6
lines changed

azure-iptables-monitor/README.md

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,17 +25,21 @@ Follow the steps below to build and run the program:
2525

2626
4. Start the program with:
2727
```bash
28-
./azure-iptables-monitor --input=/etc/config/ --interval=300
28+
./azure-iptables-monitor -input=/etc/config/ -interval=300
2929
```
30-
- The `--input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/`
31-
- The `--input6` flag specifies the directory containing allowed regex pattern files for IPv6 ip6tables. Default: `/etc/config6/`
32-
- The `--interval` flag specifies how often to check iptables rules in seconds. Default: `300`
33-
- The `--events` flag enables Kubernetes event creation for rule violations. Default: `false`
34-
- The `--ipv6` flag enables IPv6 ip6tables monitoring using the IPv6 allowlists. Default: `false`
30+
- The `-input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/`
31+
- The `-input6` flag specifies the directory containing allowed regex pattern files for IPv6 ip6tables. Default: `/etc/config6/`
32+
- The `-interval` flag specifies how often to check iptables rules in seconds. Default: `300`
33+
- The `-events` flag enables Kubernetes event creation for rule violations. Default: `false`
34+
- The `-ipv6` flag enables IPv6 ip6tables monitoring using the IPv6 allowlists. Default: `false`
35+
- The `-checkMap` flag enables checking the pinned bpf map specified in mapPath for increases. Default: `false`
36+
- The `-mapPath` flag species the pinned bpf map path to check. Default: `/block-iptables/iptables_block_event_counter`
3537
- The program must be in a k8s environment and `NODE_NAME` must be a set environment variable with the current node.
3638

3739
5. The program will set the `kubernetes.azure.com/user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes).
3840

41+
6. The program will also send out an event if the bpf map value specified increases between checks
42+
3943

4044
## Pattern File Format
4145

0 commit comments

Comments
 (0)