From 86206d7a0aa293dccae50e74428e7a6e87d30431 Mon Sep 17 00:00:00 2001 From: QxBytes Date: Tue, 12 Aug 2025 11:25:07 -0700 Subject: [PATCH 01/13] update label --- azure-iptables-monitor/iptables_monitor.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 9ccdc07acf..00d720c5cc 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -32,7 +32,7 @@ var ( sendEvents = flag.Bool("events", false, "Whether to send node events if unexpected iptables rules are detected") ) -const label = "user-iptables-rules" +const label = "kubernetes.azure.com/user-iptables-rules" type FileLineReader interface { Read(filename string) ([]string, error) From fb85c6346a5abd0cf28dc83dd28083d550ef8df3 Mon Sep 17 00:00:00 2001 From: QxBytes Date: Thu, 14 Aug 2025 17:07:23 -0700 Subject: [PATCH 02/13] add ip6tables --- azure-iptables-monitor/iptables_monitor.go | 33 ++++++++++++++++--- .../iptables_monitor_test.go | 2 +- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 00d720c5cc..8412e12020 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -27,9 +27,11 @@ import ( var version string var ( - configPath = flag.String("input", "/etc/config/", "Name of the directory with the allowed regex files") + configPath4 = flag.String("input", "/etc/config/", "Name of the directory with the ipv4 allowed regex files") + configPath6 = flag.String("input6", "/etc/config6/", "Name of directory with the ipv6 allowed regex files") checkInterval = flag.Int("interval", 300, "How often to check iptables rules (in seconds)") sendEvents = flag.Bool("events", false, "Whether to send node events if unexpected iptables rules are detected") + ipv6Enabled = flag.Bool("ipv6", false, "Whether to check ip6tables using the ipv6 allowlists") ) const label = "kubernetes.azure.com/user-iptables-rules" @@ -197,10 +199,10 @@ func hasUnexpectedRules(currentRules, allowedPatterns []string) bool { // nodeHasUserIPTablesRules returns true if the node has iptables rules that do not match the regex // specified in the rule's respective table: nat, mangle, filter, raw, or security // The global file's regexes can match to a rule in any table -func nodeHasUserIPTablesRules(fileReader FileLineReader, iptablesClient IPTablesClient) bool { +func nodeHasUserIPTablesRules(fileReader FileLineReader, path string, iptablesClient IPTablesClient) bool { tables := []string{"nat", "mangle", "filter", "raw", "security"} - globalPatterns, err := fileReader.Read(filepath.Join(*configPath, "global")) + globalPatterns, err := fileReader.Read(filepath.Join(path, "global")) if err != nil { globalPatterns = []string{} klog.V(2).Infof("No global patterns file found, using empty patterns") @@ -216,7 +218,7 @@ func nodeHasUserIPTablesRules(fileReader FileLineReader, iptablesClient IPTables } var referencePatterns []string - referencePatterns, err = fileReader.Read(filepath.Join(*configPath, table)) + referencePatterns, err = fileReader.Read(filepath.Join(path, table)) if err != nil { referencePatterns = []string{} klog.V(2).Infof("No reference patterns file found for table %s", table) @@ -263,6 +265,15 @@ func main() { klog.Fatalf("failed to create iptables client: %v", err) } + var ip6tablesClient IPTablesClient + if *ipv6Enabled { + ip6tablesClient, err = goiptables.New(goiptables.IPFamily(goiptables.ProtocolIPv6)) + if err != nil { + klog.Fatalf("failed to create ip6tables client: %v", err) + } + klog.Info("IPv6 Enabled") + } + // get current node name from environment variable currentNodeName := os.Getenv("NODE_NAME") if currentNodeName == "" { @@ -274,7 +285,19 @@ func main() { var fileReader FileLineReader = OSFileLineReader{} for { - userIPTablesRulesFound := nodeHasUserIPTablesRules(fileReader, iptablesClient) + userIPTablesRulesFound := nodeHasUserIPTablesRules(fileReader, *configPath4, iptablesClient) + if userIPTablesRulesFound { + klog.Info("Above user iptables rules detected in IPv4 iptables") + } + + // check ip6tables rules if enabled + if *ipv6Enabled { + userIP6TablesRulesFound := nodeHasUserIPTablesRules(fileReader, *configPath6, ip6tablesClient) + if userIP6TablesRulesFound { + klog.Info("Above user iptables rules detected in IPv6 iptables") + } + userIPTablesRulesFound = userIPTablesRulesFound || userIP6TablesRulesFound + } // update label based on whether user iptables rules were found err = patchLabel(dynamicClient, userIPTablesRulesFound, currentNodeName) diff --git a/azure-iptables-monitor/iptables_monitor_test.go b/azure-iptables-monitor/iptables_monitor_test.go index 2ebbfa27ab..60f025b7b6 100644 --- a/azure-iptables-monitor/iptables_monitor_test.go +++ b/azure-iptables-monitor/iptables_monitor_test.go @@ -217,7 +217,7 @@ func TestNodeHasUserIPTablesRules(t *testing.T) { fileReader.files = tc.files iptablesClient.rules = tc.rules - result := nodeHasUserIPTablesRules(fileReader, iptablesClient) + result := nodeHasUserIPTablesRules(fileReader, "/etc/config/", iptablesClient) require.Equal(t, tc.expected, result, tc.description) }) } From 8a82c047db332ea703a5117dd11111eff5bdeb47 Mon Sep 17 00:00:00 2001 From: QxBytes Date: Thu, 14 Aug 2025 17:15:02 -0700 Subject: [PATCH 03/13] update readme --- azure-iptables-monitor/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/azure-iptables-monitor/README.md b/azure-iptables-monitor/README.md index 48aa3b060b..17fc5a2e07 100644 --- a/azure-iptables-monitor/README.md +++ b/azure-iptables-monitor/README.md @@ -28,11 +28,13 @@ Follow the steps below to build and run the program: ./azure-iptables-monitor --input=/etc/config/ --interval=300 ``` - The `--input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/` + - The `--input6` flag specifies the directory containing allowed regex pattern files for IPv6 ip6tables. Default: `/etc/config6/` - The `--interval` flag specifies how often to check iptables rules in seconds. Default: `300` - The `--events` flag enables Kubernetes event creation for rule violations. Default: `false` + - The `--ipv6` flag enables IPv6 ip6tables monitoring using the IPv6 allowlists. Default: `false` - The program must be in a k8s environment and `NODE_NAME` must be a set environment variable with the current node. -5. The program will set the `user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes). +5. The program will set the `kubernetes.azure.com/user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes). ## Pattern File Format @@ -48,6 +50,7 @@ Each pattern file should contain one regex pattern per line: - `nat`, `mangle`, `filter`, `raw`, `security`: Patterns specific to each iptables table - Empty lines are ignored - Each line should be a valid Go regex pattern +- The ipv6 config directory uses files with same names, but will match against ipv6 iptables rules ## Debugging From 4424b0895d7b758a19c8fd6349ed7d6f99c7976c Mon Sep 17 00:00:00 2001 From: QxBytes Date: Mon, 18 Aug 2025 09:30:15 -0700 Subject: [PATCH 04/13] update logging --- azure-iptables-monitor/iptables_monitor.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 8412e12020..13fd35534d 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -210,6 +210,8 @@ func nodeHasUserIPTablesRules(fileReader FileLineReader, path string, iptablesCl userIPTablesRules := false + klog.V(2).Infof("Using reference patterns files in %s", path) + for _, table := range tables { rules, err := GetRules(iptablesClient, table) if err != nil { @@ -271,8 +273,8 @@ func main() { if err != nil { klog.Fatalf("failed to create ip6tables client: %v", err) } - klog.Info("IPv6 Enabled") } + klog.Infof("IPv6: %v", *ipv6Enabled) // get current node name from environment variable currentNodeName := os.Getenv("NODE_NAME") From d34a223fb7b0b1059166ce67409207578841468c Mon Sep 17 00:00:00 2001 From: QxBytes Date: Mon, 18 Aug 2025 16:16:19 -0700 Subject: [PATCH 05/13] add ability to read bpf map to iptables monitor --- azure-iptables-monitor/go.mod | 1 + azure-iptables-monitor/go.sum | 2 + azure-iptables-monitor/iptables_monitor.go | 45 ++++++++++++++++++++++ 3 files changed, 48 insertions(+) diff --git a/azure-iptables-monitor/go.mod b/azure-iptables-monitor/go.mod index 04f8a416f0..f5cb17a4f5 100644 --- a/azure-iptables-monitor/go.mod +++ b/azure-iptables-monitor/go.mod @@ -16,6 +16,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/cilium/ebpf v0.19.0 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect diff --git a/azure-iptables-monitor/go.sum b/azure-iptables-monitor/go.sum index 561bcf8e39..4fc10e9187 100644 --- a/azure-iptables-monitor/go.sum +++ b/azure-iptables-monitor/go.sum @@ -4,6 +4,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cilium/ebpf v0.19.0 h1:Ro/rE64RmFBeA9FGjcTc+KmCeY6jXmryu6FfnzPRIao= +github.com/cilium/ebpf v0.19.0/go.mod h1:fLCgMo3l8tZmAdM3B2XqdFzXBpwkcSTroaVqN08OWVY= github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc= github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 13fd35534d..3b2a310f89 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -5,6 +5,7 @@ import ( "context" "flag" "fmt" + "github.com/cilium/ebpf" "os" "path/filepath" "regexp" @@ -32,6 +33,8 @@ var ( checkInterval = flag.Int("interval", 300, "How often to check iptables rules (in seconds)") sendEvents = flag.Bool("events", false, "Whether to send node events if unexpected iptables rules are detected") ipv6Enabled = flag.Bool("ipv6", false, "Whether to check ip6tables using the ipv6 allowlists") + checkMap = flag.Bool("checkMap", false, "Whether to check the bpf map at mapPath for increases") + pinPath = flag.String("mapPath", "/sys/fs/bpf/block-iptables/iptables_block_event_counter", "Path to pinned bpf map") ) const label = "kubernetes.azure.com/user-iptables-rules" @@ -238,6 +241,27 @@ func nodeHasUserIPTablesRules(fileReader FileLineReader, path string, iptablesCl return userIPTablesRules } +func getBPFMapValue() (uint64, error) { + m, err := ebpf.LoadPinnedMap(*pinPath, nil) + if err != nil { + return 0, fmt.Errorf("failed to load pinned map %s: %w", *pinPath, err) + } + defer m.Close() + // 0 is the key for # of blocks + key := uint32(0) + value := uint64(0) + + if err := m.Lookup(&key, &value); err != nil { + return 0, fmt.Errorf("failed to lookup value in bpf map %d: %w", key, err) + } + + return value, nil +} + +func sendEventOnIPTablesBlock() { + +} + func main() { klog.InitFlags(nil) flag.Parse() @@ -286,6 +310,8 @@ func main() { var fileReader FileLineReader = OSFileLineReader{} + previousBlocks := uint64(0) + for { userIPTablesRulesFound := nodeHasUserIPTablesRules(fileReader, *configPath4, iptablesClient) if userIPTablesRulesFound { @@ -316,6 +342,25 @@ func main() { } } + // if disabled the number of blocks never increases from zero + currentBlocks := uint64(0) + if *checkMap { + // read bpf map to check for number of blocked iptables rules + currentBlocks, err = getBPFMapValue() + if err != nil { + klog.Errorf("failed to get bpf map value: %v", err) + } + } + // if number of blocked rules increased since last time + blockedRulesIncreased := currentBlocks > previousBlocks + previousBlocks = currentBlocks + if *sendEvents && blockedRulesIncreased { + err = createNodeEvent(clientset, currentNodeName, "BlockedIPTablesRule", "Number of blocked iptables rules increased since last check", corev1.EventTypeWarning) + if err != nil { + klog.Errorf("failed to create iptables block event: %v", err) + } + } + time.Sleep(time.Duration(*checkInterval) * time.Second) } } From 9148ff3cd88f7a449bd8090f189683a99cc50902 Mon Sep 17 00:00:00 2001 From: QxBytes Date: Mon, 18 Aug 2025 17:13:57 -0700 Subject: [PATCH 06/13] modify log --- azure-iptables-monitor/iptables_monitor.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 3b2a310f89..391b7af588 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -34,7 +34,7 @@ var ( sendEvents = flag.Bool("events", false, "Whether to send node events if unexpected iptables rules are detected") ipv6Enabled = flag.Bool("ipv6", false, "Whether to check ip6tables using the ipv6 allowlists") checkMap = flag.Bool("checkMap", false, "Whether to check the bpf map at mapPath for increases") - pinPath = flag.String("mapPath", "/sys/fs/bpf/block-iptables/iptables_block_event_counter", "Path to pinned bpf map") + pinPath = flag.String("mapPath", "/block-iptables/iptables_block_event_counter", "Path to pinned bpf map") ) const label = "kubernetes.azure.com/user-iptables-rules" @@ -353,13 +353,15 @@ func main() { } // if number of blocked rules increased since last time blockedRulesIncreased := currentBlocks > previousBlocks - previousBlocks = currentBlocks if *sendEvents && blockedRulesIncreased { - err = createNodeEvent(clientset, currentNodeName, "BlockedIPTablesRule", "Number of blocked iptables rules increased since last check", corev1.EventTypeWarning) + msg := fmt.Sprintf("Number of blocked iptables rules increased from %d to %d since last check", previousBlocks, currentBlocks) + err = createNodeEvent(clientset, currentNodeName, "BlockedIPTablesRule", msg, corev1.EventTypeWarning) if err != nil { klog.Errorf("failed to create iptables block event: %v", err) } } + klog.V(2).Infof("IPTables rules blocks: Previous: %d Current: %d", previousBlocks, currentBlocks) + previousBlocks = currentBlocks time.Sleep(time.Duration(*checkInterval) * time.Second) } From db051e6f97e4c071769d44df9cd06785c8e383d6 Mon Sep 17 00:00:00 2001 From: QxBytes Date: Tue, 19 Aug 2025 11:17:49 -0700 Subject: [PATCH 07/13] display iptables rules block count only when check map enabled --- azure-iptables-monitor/iptables_monitor.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 391b7af588..38485db555 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -350,6 +350,7 @@ func main() { if err != nil { klog.Errorf("failed to get bpf map value: %v", err) } + klog.V(2).Infof("IPTables rules blocks: Previous: %d Current: %d", previousBlocks, currentBlocks) } // if number of blocked rules increased since last time blockedRulesIncreased := currentBlocks > previousBlocks @@ -360,7 +361,6 @@ func main() { klog.Errorf("failed to create iptables block event: %v", err) } } - klog.V(2).Infof("IPTables rules blocks: Previous: %d Current: %d", previousBlocks, currentBlocks) previousBlocks = currentBlocks time.Sleep(time.Duration(*checkInterval) * time.Second) From d66d8216c3e7f9ff196f0acc34bf651fb41e064a Mon Sep 17 00:00:00 2001 From: QxBytes Date: Tue, 19 Aug 2025 11:39:10 -0700 Subject: [PATCH 08/13] update readme --- azure-iptables-monitor/README.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/azure-iptables-monitor/README.md b/azure-iptables-monitor/README.md index 17fc5a2e07..388c0469a7 100644 --- a/azure-iptables-monitor/README.md +++ b/azure-iptables-monitor/README.md @@ -25,17 +25,21 @@ Follow the steps below to build and run the program: 4. Start the program with: ```bash - ./azure-iptables-monitor --input=/etc/config/ --interval=300 + ./azure-iptables-monitor -input=/etc/config/ -interval=300 ``` - - The `--input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/` - - The `--input6` flag specifies the directory containing allowed regex pattern files for IPv6 ip6tables. Default: `/etc/config6/` - - The `--interval` flag specifies how often to check iptables rules in seconds. Default: `300` - - The `--events` flag enables Kubernetes event creation for rule violations. Default: `false` - - The `--ipv6` flag enables IPv6 ip6tables monitoring using the IPv6 allowlists. Default: `false` + - The `-input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/` + - The `-input6` flag specifies the directory containing allowed regex pattern files for IPv6 ip6tables. Default: `/etc/config6/` + - The `-interval` flag specifies how often to check iptables rules in seconds. Default: `300` + - The `-events` flag enables Kubernetes event creation for rule violations. Default: `false` + - The `-ipv6` flag enables IPv6 ip6tables monitoring using the IPv6 allowlists. Default: `false` + - The `-checkMap` flag enables checking the pinned bpf map specified in mapPath for increases. Default: `false` + - The `-mapPath` flag species the pinned bpf map path to check. Default: `/block-iptables/iptables_block_event_counter` - The program must be in a k8s environment and `NODE_NAME` must be a set environment variable with the current node. 5. The program will set the `kubernetes.azure.com/user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes). +6. The program will also send out an event if the bpf map value specified increases between checks + ## Pattern File Format From f4cd73ed5097e0d1aa47ca60c591b320b5314ff5 Mon Sep 17 00:00:00 2001 From: QxBytes Date: Tue, 19 Aug 2025 11:42:08 -0700 Subject: [PATCH 09/13] remove unused function (noop) --- azure-iptables-monitor/iptables_monitor.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 38485db555..5e569b9ddf 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -258,10 +258,6 @@ func getBPFMapValue() (uint64, error) { return value, nil } -func sendEventOnIPTablesBlock() { - -} - func main() { klog.InitFlags(nil) flag.Parse() From 96753aefcaaa478f72b44317e4712a3074cc504e Mon Sep 17 00:00:00 2001 From: QxBytes Date: Tue, 19 Aug 2025 11:55:23 -0700 Subject: [PATCH 10/13] address linter --- azure-iptables-monitor/iptables_monitor.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 5e569b9ddf..4a410ee1f9 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -5,12 +5,12 @@ import ( "context" "flag" "fmt" - "github.com/cilium/ebpf" "os" "path/filepath" "regexp" "time" + "github.com/cilium/ebpf" goiptables "github.com/coreos/go-iptables/iptables" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" From 5faa1c2cd24af25e13171fbbe1270aa97db4273f Mon Sep 17 00:00:00 2001 From: Alexander <39818795+QxBytes@users.noreply.github.com> Date: Tue, 19 Aug 2025 12:11:00 -0700 Subject: [PATCH 11/13] update azure-iptables-monitor/iptables_monitor.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Alexander <39818795+QxBytes@users.noreply.github.com> --- azure-iptables-monitor/iptables_monitor.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 4a410ee1f9..c5cb0605cf 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -252,7 +252,7 @@ func getBPFMapValue() (uint64, error) { value := uint64(0) if err := m.Lookup(&key, &value); err != nil { - return 0, fmt.Errorf("failed to lookup value in bpf map %d: %w", key, err) + return 0, fmt.Errorf("failed to lookup key %d in bpf map: %w", key, err) } return value, nil From 317530f3c898255c8b3c34c1dcc5615c9db896bb Mon Sep 17 00:00:00 2001 From: QxBytes Date: Wed, 20 Aug 2025 11:27:32 -0700 Subject: [PATCH 12/13] adjust event description --- azure-iptables-monitor/README.md | 4 ++-- azure-iptables-monitor/iptables_monitor.go | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/azure-iptables-monitor/README.md b/azure-iptables-monitor/README.md index 388c0469a7..f7cf15cba2 100644 --- a/azure-iptables-monitor/README.md +++ b/azure-iptables-monitor/README.md @@ -29,11 +29,11 @@ Follow the steps below to build and run the program: ``` - The `-input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/` - The `-input6` flag specifies the directory containing allowed regex pattern files for IPv6 ip6tables. Default: `/etc/config6/` - - The `-interval` flag specifies how often to check iptables rules in seconds. Default: `300` + - The `-interval` flag specifies how often to check iptables rules and the bpf map in seconds. Default: `300` - The `-events` flag enables Kubernetes event creation for rule violations. Default: `false` - The `-ipv6` flag enables IPv6 ip6tables monitoring using the IPv6 allowlists. Default: `false` - The `-checkMap` flag enables checking the pinned bpf map specified in mapPath for increases. Default: `false` - - The `-mapPath` flag species the pinned bpf map path to check. Default: `/block-iptables/iptables_block_event_counter` + - The `-mapPath` flag specifies the pinned bpf map path to check. Default: `/block-iptables/iptables_block_event_counter` - The program must be in a k8s environment and `NODE_NAME` must be a set environment variable with the current node. 5. The program will set the `kubernetes.azure.com/user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes). diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index c5cb0605cf..066cc7482c 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -30,7 +30,7 @@ var version string var ( configPath4 = flag.String("input", "/etc/config/", "Name of the directory with the ipv4 allowed regex files") configPath6 = flag.String("input6", "/etc/config6/", "Name of directory with the ipv6 allowed regex files") - checkInterval = flag.Int("interval", 300, "How often to check iptables rules (in seconds)") + checkInterval = flag.Int("interval", 300, "How often to check for user iptables rules and bpf map increases (in seconds)") sendEvents = flag.Bool("events", false, "Whether to send node events if unexpected iptables rules are detected") ipv6Enabled = flag.Bool("ipv6", false, "Whether to check ip6tables using the ipv6 allowlists") checkMap = flag.Bool("checkMap", false, "Whether to check the bpf map at mapPath for increases") @@ -351,7 +351,8 @@ func main() { // if number of blocked rules increased since last time blockedRulesIncreased := currentBlocks > previousBlocks if *sendEvents && blockedRulesIncreased { - msg := fmt.Sprintf("Number of blocked iptables rules increased from %d to %d since last check", previousBlocks, currentBlocks) + msg := "A process attempted to add iptables rules to the node but was blocked since last check. " + + "iptables rules blocked because EBPF Host Routing is enabled: aka.ms/acnsperformance" err = createNodeEvent(clientset, currentNodeName, "BlockedIPTablesRule", msg, corev1.EventTypeWarning) if err != nil { klog.Errorf("failed to create iptables block event: %v", err) From e3bc5f6fbc3d71215ae4df92db51678fc671126d Mon Sep 17 00:00:00 2001 From: QxBytes Date: Tue, 26 Aug 2025 11:09:43 -0700 Subject: [PATCH 13/13] adjust pinned path --- azure-iptables-monitor/README.md | 2 +- azure-iptables-monitor/iptables_monitor.go | 2 +- bpf-prog/azure-block-iptables/pkg/bpfprogram/program.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/azure-iptables-monitor/README.md b/azure-iptables-monitor/README.md index f7cf15cba2..682d30c2b1 100644 --- a/azure-iptables-monitor/README.md +++ b/azure-iptables-monitor/README.md @@ -33,7 +33,7 @@ Follow the steps below to build and run the program: - The `-events` flag enables Kubernetes event creation for rule violations. Default: `false` - The `-ipv6` flag enables IPv6 ip6tables monitoring using the IPv6 allowlists. Default: `false` - The `-checkMap` flag enables checking the pinned bpf map specified in mapPath for increases. Default: `false` - - The `-mapPath` flag specifies the pinned bpf map path to check. Default: `/block-iptables/iptables_block_event_counter` + - The `-mapPath` flag specifies the pinned bpf map path to check. Default: `/azure-block-iptables/iptables_block_event_counter` - The program must be in a k8s environment and `NODE_NAME` must be a set environment variable with the current node. 5. The program will set the `kubernetes.azure.com/user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes). diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go index 066cc7482c..2e3452f49a 100644 --- a/azure-iptables-monitor/iptables_monitor.go +++ b/azure-iptables-monitor/iptables_monitor.go @@ -34,7 +34,7 @@ var ( sendEvents = flag.Bool("events", false, "Whether to send node events if unexpected iptables rules are detected") ipv6Enabled = flag.Bool("ipv6", false, "Whether to check ip6tables using the ipv6 allowlists") checkMap = flag.Bool("checkMap", false, "Whether to check the bpf map at mapPath for increases") - pinPath = flag.String("mapPath", "/block-iptables/iptables_block_event_counter", "Path to pinned bpf map") + pinPath = flag.String("mapPath", "/azure-block-iptables/iptables_block_event_counter", "Path to pinned bpf map") ) const label = "kubernetes.azure.com/user-iptables-rules" diff --git a/bpf-prog/azure-block-iptables/pkg/bpfprogram/program.go b/bpf-prog/azure-block-iptables/pkg/bpfprogram/program.go index a69167b044..1033fac47d 100644 --- a/bpf-prog/azure-block-iptables/pkg/bpfprogram/program.go +++ b/bpf-prog/azure-block-iptables/pkg/bpfprogram/program.go @@ -18,7 +18,7 @@ import ( const ( // BPFMapPinPath is the directory where BPF maps are pinned - BPFMapPinPath = "/sys/fs/bpf/block-iptables" + BPFMapPinPath = "/sys/fs/bpf/azure-block-iptables" // EventCounterMapName is the name used for pinning the event counter map EventCounterMapName = "iptables_block_event_counter" // IptablesLegacyBlockProgramName is the name used for pinning the legacy iptables block program