How to use Fail2ban under Kubernetes?

That's an old question probably resolved by the author, but for other community members I decided to provide an answer with a few clarifications.

I have tried to find a fail2ban solution that can help with this case. Unfortunately, I did not find anything suitable and easy to use at the same time.
It may be reasonable to create a GitHub issue for fail2ban integration with Kubernetes.

Below are some other solutions that may help you:

ModSecurity

Using Kubernetes Ingress to expose HTTP and HTTPS routes from outside the cluster to services within the cluster may be a good starting point for you.

As we can see in the Kubernetes Ingress documentation:

You must have an Ingress controller to satisfy an Ingress. Only creating an Ingress resource has no effect. You may need to deploy an Ingress controller such as ingress-nginx.

In the NGINX Ingress Controller you can use ModSecurity as a third party addons:

ModSecurity is an OpenSource Web Application firewall. It can be enabled for a particular set of ingress locations. The ModSecurity module must first be enabled by enabling ModSecurity in the ConfigMap. Note this will enable ModSecurity for all paths, and each path must be disabled manually.

You can enable the OWASP Core Rule Set by setting the following annotation at the ingress level (more information can be found in the NGINX ModSecurity configuration documentation):

nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"

It seems possible to use ModSecurity as a Brute-Force Authentication Protection as described in this article:Defending WordPress Logins from Brute Force Attacks.

Additionally, it is worth mentioning that NGINX Ingress Controller has many annotations that can be used to mitigate DDoS Attacks e.g.:

nginx.ingress.kubernetes.io/limit-whitelist: client IP source ranges to be excluded from rate-limiting. The value is a comma separated list of CIDRs.

nginx.ingress.kubernetes.io/limit-rps: number of requests accepted from a given IP each second. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.

nginx.ingress.kubernetes.io/limit-connections: number of concurrent connections allowed from a single IP address. A 503 error is returned when exceeding this limit.

WordPress Plugins

As you are using WordPress, you can use many WordPress Plugins.For example the Web Application Firewall plugin offers Real Time IP Blocking feature.

Web Application Firewall (WAF)

Whether you use an onprem or cloud environment, you can use a specialized firewall (WAF) and DDoS mitigation service such as Google Cloud Armor (see Cloud Armor for on-prem and cloud workloads).

I think you're talking about monitoring requests, k8s cannot monitor traffic. Network policies can be used only to load balancing between nodes. You can monitore traffic using Istio, but is connected with microservices.

You need to install Istio on your cluster.Then you have to visualize metrics with Grafana and follow steps in tutorial belowhttps://istio.io/docs/tasks/telemetry/metrics/using-istio-dashboard/at the and visualizing workload dashboards gives details about metrics for each workload.

Istio has many others advantages, you can also trace requests using Zipkin

I hope this helps.