[RFE]: Add Support for Kubernetes NetworkPolicy Action

[jamestutton]

Description

Add support for fail2ban to be used inside a kubernetes enviroment by modifying NetworkPolicy API

In a kubernetes enviroment the usage of traditional or even docker base fail2ban setup is currently not possible due the way kubernetes network stack works. I think few attempts have been made to work around this by various people over the years but this proposal is to gather interest and look at using the Kubernetes Network Policy API to effectively native support kubernetes from fail2ban.

Any additional information

https://kubernetes.io/docs/concepts/services-networking/network-policies/

https://network-policy-api.sigs.k8s.io/reference/spec/

The Concept

fail2ban would be given a service account with limited access to create/edit a named Network Policy.

When a jail is triggered the api would be invoked and entries would be added or removed from the policy. Eg in the below yaml example
traffic is allowed from anywhere appart from

172.17.1.0/24
123.123.123.123/32
Eg:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: test-network-policy
 namespace: default
spec:
 podSelector:
   matchLabels:
     role: mail-server
 policyTypes:
   - Ingress
 ingress:
   - from:
       - ipBlock:
           cidr: 0.0.0.0/0
           except:
             - 172.17.1.0/32
             - 123.123.123.123/32

On the surface concept wise it sound like it should be fairly easy and then a container based instance of fail2ban could run as a side car and ban as needed.

Am raising this Issue in first instance in hope someone more experienced in the technologies will see it and run with it as not sure how to achieve the above myself.

[sebres]

ATM I see 2 ways how one could make an action for that: either command action with curl/whatever to REST API of k8s, or probably more favorably a pythonic action using kubernetes-client/python.
I'd try to implement that, just... persistently no time for that (too busy), sorry.