The best solution will be to change the container image to have an updated iptables version, but in case you can't do that, follow the next steps.
- Red Hat OpenShift Container Platform 4.6+
Executing iptables command in an application container fails with the following error.
[root@pod]# iptables -L iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied Perhaps iptables or your kernel needs to be upgraded.
[root@pod]# iptables -L -t nat iptables v1.8.4 (legacy): can't initialize iptables table `nat': Permission denied Perhaps iptables or your kernel needs to be upgraded.
Add the needed capabilities and match the SELinux denied context on audit logs on pod.spec.containers.securityContext.
spec: containers: securityContext: privileged: false capabilities: drop: ["all"] add: ["NET_ADMIN", "NET_RAW", "NET_BIND_SERVICE"] seLinuxOptions: user: "system_u" role: "system_r" type: "container_t" level: "s0:c981,c991"
- Find the worker node from where the pod is running.
- Connect to the worker node.
- Tail audit log.
- Initialize a bash session on the pod.
- Execute iptables command.
- Wait for iptables denial error on audit log.