kube-proxy-explain

A CLI to inspect iptables rules added by kube-proxy on a Kubernetes node.

Installation

go install github.com/g-gaston/kube-proxy-explain/cmd/kube-proxy-explain@latest

Usage

Basic usage to display all service rules:

kube-proxy-explain

Display rules for a specific service:

kube-proxy-explain namespace/service

Disable colored output:

kube-proxy-explain --no-color

Requirements

• Access to a Kubernetes node with kube-proxy running.
• Root privileges to read iptables rules.

Limitations

• It only reads from the nat table. I find it the most interesting when trying to understand the rules that make a particular service work. However, filter and even mangle support could be added if there is interest.
• When in "all rules" mode, it only processes rules in the KUBE-SERVICES chain. These will include most of the interesting information for services. However, this hides things like KUBE-POSTROUTING or KUBE-NODEPORTS which could also be interesting to get the full picture.

Development

Test Utilities

The repository includes test utilities to help with development:

Generating Test Data

To create a JSON dump of the current iptables rules (requires root privileges):

make test-data

This command runs the generate_dump.go utility which captures the current iptables rules to pkg/test/testdata/iptables-tables.json.

Generating Golden Files

To generate golden files for tests based on the current test data:

make generate-chains-golden

This command runs the generate_chains_golden.go utility which processes the test data to create golden files for parser tests.

make generate-display-golden

This command runs the generate_display_golden.go utility which processes the test data to create golden files for display tests.