You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add support for fail2ban to be used inside a kubernetes enviroment by modifying NetworkPolicy API
In a kubernetes enviroment the usage of traditional or even docker base fail2ban setup is currently not possible due the way kubernetes network stack works. I think few attempts have been made to work around this by various people over the years but this proposal is to gather interest and look at using the Kubernetes Network Policy API to effectively native support kubernetes from fail2ban.
fail2ban would be given a service account with limited access to create/edit a named Network Policy.
When a jail is triggered the api would be invoked and entries would be added or removed from the policy. Eg in the below yaml example
traffic is allowed from anywhere appart from
On the surface concept wise it sound like it should be fairly easy and then a container based instance of fail2ban could run as a side car and ban as needed.
Am raising this Issue in first instance in hope someone more experienced in the technologies will see it and run with it as not sure how to achieve the above myself.
The text was updated successfully, but these errors were encountered:
ATM I see 2 ways how one could make an action for that: either command action with curl/whatever to REST API of k8s, or probably more favorably a pythonic action using kubernetes-client/python.
I'd try to implement that, just... persistently no time for that (too busy), sorry.
Description
Add support for fail2ban to be used inside a kubernetes enviroment by modifying NetworkPolicy API
In a kubernetes enviroment the usage of traditional or even docker base fail2ban setup is currently not possible due the way kubernetes network stack works. I think few attempts have been made to work around this by various people over the years but this proposal is to gather interest and look at using the Kubernetes Network Policy API to effectively native support kubernetes from fail2ban.
Any additional information
https://kubernetes.io/docs/concepts/services-networking/network-policies/
https://network-policy-api.sigs.k8s.io/reference/spec/
The Concept
fail2ban would be given a service account with limited access to create/edit a named Network Policy.
When a jail is triggered the api would be invoked and entries would be added or removed from the policy. Eg in the below yaml example
traffic is allowed from anywhere appart from
172.17.1.0/24
123.123.123.123/32
Eg:
On the surface concept wise it sound like it should be fairly easy and then a container based instance of fail2ban could run as a side car and ban as needed.
Am raising this Issue in first instance in hope someone more experienced in the technologies will see it and run with it as not sure how to achieve the above myself.
The text was updated successfully, but these errors were encountered: