--- apiVersion: v1 kind: Pod metadata: name: pod-with-no-rules labels: app: pod-with-no-rules spec: containers: - name: webserver image: buoyantio/iptables-tester:v1 env: - name: PORT value: "8080" command: ["go", "run", "/go/test_service/test_service.go"] ports: - name: http containerPort: 8080 - name: other-container image: buoyantio/iptables-tester:v1 env: - name: PORT value: "9090" command: ["go", "run", "/go/test_service/test_service.go"] ports: - name: http containerPort: 9090 --- apiVersion: v1 kind: Service metadata: name: svc-pod-with-no-rules spec: selector: app: pod-with-no-rules ports: - name: http port: 8080 --- apiVersion: v1 kind: Pod metadata: name: pod-redirects-all-ports labels: app: pod-redirects-all-ports spec: containers: - name: other-container image: buoyantio/iptables-tester:v1 env: - name: PORT value: "9090" command: ["go", "run", "/go/test_service/test_service.go"] ports: - name: http containerPort: 9090 - name: proxy-stub image: buoyantio/iptables-tester:v1 env: - name: PORT value: "8080" - name: AM_I_THE_PROXY value: "yes" command: ["go", "run", "/go/test_service/test_service.go"] securityContext: privileged: false runAsUser: 2102 ports: - name: http containerPort: 8080 initContainers: - name: conduit-init image: gcr.io/runconduit/proxy-init:latest imagePullPolicy: Never args: ["-p", "8080", "-o", "8080", "-u", "2102"] securityContext: capabilities: add: - NET_ADMIN privileged: false --- apiVersion: v1 kind: Service metadata: name: svc-pod-redirects-all-ports spec: selector: app: pod-redirects-all-ports ports: - name: http port: 8080 --- apiVersion: v1 kind: Pod metadata: name: pod-redirects-whitelisted labels: app: pod-redirects-whitelisted spec: containers: - name: proxy-stub image: buoyantio/iptables-tester:v1 env: - name: PORT value: "8080" - name: AM_I_THE_PROXY value: "yes" command: ["go", "run", "/go/test_service/test_service.go"] ports: - name: http containerPort: 8080 securityContext: privileged: false runAsUser: 2102 initContainers: - name: conduit-init image: gcr.io/runconduit/proxy-init:latest imagePullPolicy: Never args: ["-p", "8080", "-o", "8080", "-u", "2102", "-r", "9090", "-r", "9099"] securityContext: capabilities: add: - NET_ADMIN privileged: false --- apiVersion: v1 kind: Pod metadata: name: pod-doesnt-redirect-blacklisted labels: app: pod-doesnt-redirect-blacklisted spec: containers: - name: proxy-stub image: buoyantio/iptables-tester:v1 env: - name: PORT value: "8080" - name: AM_I_THE_PROXY value: "yes" command: ["go", "run", "/go/test_service/test_service.go"] ports: - name: http containerPort: 8080 securityContext: privileged: false runAsUser: 2102 - name: other-container image: buoyantio/iptables-tester:v1 env: - name: PORT value: "9090" command: ["go", "run", "/go/test_service/test_service.go"] ports: - name: http containerPort: 9090 - name: blacklisted-container image: buoyantio/iptables-tester:v1 env: - name: PORT value: "7070" command: ["go", "run", "/go/test_service/test_service.go"] ports: - name: http containerPort: 7070 initContainers: - name: conduit-init image: gcr.io/runconduit/proxy-init:latest imagePullPolicy: Never args: ["-p", "8080", "-o", "8080", "-u", "2102", "--inbound-ports-to-ignore", "7070"] securityContext: capabilities: add: - NET_ADMIN privileged: false