Will the reject rules added by defender in kubernetes nodes IP Table entries after enabling Network monitoring under Radar settings drop all packets?

1159

Created On 12/08/23 02:17 AM - Last Modified 12/08/23 05:33 AM

Prisma Cloud Compute CNNS

Prisma Cloud Compute Defender Connectivi

Prisma Cloud Compute Defender Deployment

Prisma Cloud Compute Cloud Discovery

Containers

Prisma Cloud Compute Defender

Prisma Cloud Compute Edition Self-Hosted

Question

Why do I see IP Table entries in the nodes after enabling Network monitoring under Radar settings?
Will the reject rules added by Defender in kubernetes nodes IP Table entries after enabling Network monitoring under Radar settings drop all packets?

sudo iptables -L -v
--snip
Chain TWISTLOCK-NET-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  any    any     anywhere             10.x.x.x/20       tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset
    0     0 REJECT     tcp  --  any    any     anywhere             10.244.0.0/16        tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset
    0     0 REJECT     tcp  --  any    any     anywhere             test-k8w/24          tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset
    0     0 REJECT     tcp  --  any    any     anywhere             localhost/8          tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset

Chain TWISTLOCK-NET-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  any    any     10.x.x.x/20       anywhere             tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset
    0     0 REJECT     tcp  --  any    any     10.244.0.0/16        anywhere             tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset
    0     0 REJECT     tcp  --  any    any     test-k8w/24          anywhere             tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset
    0     0 REJECT     tcp  --  any    any     localhost/8          anywhere             tcp flags:FIN,SYN,RST,ACK/SYN mark match 0x10101010 /* TWISTLOCK-RULE */ reject-with tcp-reset  
--snip

Environment

Prisma Cloud Copute Edition
Kubernetes cluster

Answer

The defender adds the iptbale Rules starting with TWISTLOCK by default when we enable Network Monitoring under radar->settings is turned on.

The iptable are a set of rules.
The rule says: for all connections with this IP address, reject IF we see this mark 0x10101010.
For those IP destinations/sources (network devices on the host that we’ve detected), reject any packets with the mark 0x10101010.
If the packet is not marked with 0x10101010 by any external sources, nothing will happen.

To confirm the above explanation, Please refer to the output of "iptables -L -v" and check the "pkts" and "bytes" section and see if the number of pkts and bytes are non-zero values, it will always be 0 which shows that nothing matched these rules.

Will the reject rules added by defender in kubernetes nodes IP Table entries after enabling Network monitoring under Radar settings drop all packets?

Question

Environment

Answer

Other users also viewed: