I used to think netfilter at the node level, so iptables rule only for node, so istio maybe inject iptable rule with the pod ip on initContainer
but i research chaos-mesh recently, it broken this point, i try to use nsexec
i create a demo pod on node A and execute nsexec -n /proc/xxxxxx/ns/net -l iptables -L, iptable rules is different from node rules
when i try to add a output rule, it is work well, only for this pod
is netfilter isolation by namespace?
is netfilter isolation by namespace?
Can be done.
...a demo pod on node A and execute nsexec -n /proc/xxxxxx/ns/net -l iptables -L, iptable rules is different from node rules
What happens here is nsexec loads iptables from its own mount namespace and execute it in the pod isolated namespace. As you wished, the pod gets a different iptables rules.