feat: include iptables block binary in iptables monitor image #3945
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR incorporates the azure-block-iptables binary into the azure-iptables-monitor container image to enable deploying it as a sidecar container in the CNS daemonset, avoiding the need for node rotations when enabling/disabling eBPF host routing.
- Adds azure-block-iptables binary build stage to the azure-iptables-monitor Dockerfile
- Updates Makefile to include azure-block-iptables version information and build arguments
- Installs BPF development dependencies and sets up cross-compilation support
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| azure-iptables-monitor/Dockerfile | Adds multi-stage build for azure-block-iptables binary with BPF dependencies and copies it to final image |
| Makefile | Updates version matching and adds build argument for azure-block-iptables version |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
santhoshmprabhu
added
go
Co-authored-by: Copilot <[email protected]> Signed-off-by: Santhosh Prabhu <[email protected]>
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
QxBytes
previously approved these changes
Aug 20, 2025
tamilmani1989
previously approved these changes
Aug 20, 2025
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
santhoshmprabhu
dismissed stale reviews from tamilmani1989 and QxBytes
via
e503318
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
tamilmani1989
approved these changes
Aug 21, 2025
QxBytes
approved these changes
Aug 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reason for Change:
This PR incorporates the azure-block-iptables binary into the azure-iptables-monitor image. We originally were planning to deploy this binary as a systemd service through AgentBaker. However, @paulgmiller pointed out a limitation of doing so, which meant that we'd be forced to do node rotations when enabling/disabling eBPF host routing.
To avoid node rotations, we are now planning to install the iptables rule blocking from an init container in the CNS daemonset. Once the init container runs, it installs the LSM BPF program to block iptables rule installation, and additionally pins the link to the filesystem. This means that even after the init container finishes, iptables rules can't be installed in the host network namespace, unless explicitly allowed by our blocking logic. This does mean that a component may be able to install iptables rules by coming up sooner than CNS. We address this limitation by generating Kube events when such rules are detected (this is already being done in iptables-monitor).
When eBPF host routing gets disabled, an init/sidecar container in CNS can clean up the pinned BPF programs. The binary includes the functionality to do that in the "detach" mode. To enable future changes to the blocking logic, the binary also has an option to "overwrite" the BPF attachment. When overwrite is selected, any existing BPF program will be removed first, before attaching.
Validation done
Attach/Detach
Overwrite
Issue Fixed:
Requirements:
Notes: