kedge (verb) to move (a ship) by means of a line attached to a small anchor dropped at the distance and in the direction desired
Proxy for gRPC, HTTP (1.1/2) microservices with the aim to make cross-cluster
microservice communication simple to set up, and secure. All you need for it to work is: TLS client certificates in your service pods, a single L4 load balanced IP address in each cluster, and a kedge
server behind it.
Kubernetes is great, if you have one cluster. If you want to have twoThis project stems from the frustration of setting up communication between two K8S clusters. This requires a couple of things:
- cross-cluster networking - usually a complex process of setting up and maintaining IPSec bridges
- configuration of routing rules - each cluster needs to know about each other cluster's 3 (!) network ranges: host, pod and internal-service networks
- providing federated service discovery - either through the alpha-grade K8S Federation or CoreDNS stub zones
All these are subject to subtle interplays between routes, iptables
rules, DNS packets and MTU limits of IPSec tunnels, which would make even a seasoned network engineer go gray.
At the same time, none of the existing service meshes or networking overlays provide an easy fix for this.
Kedge is a reverse/forward proxy for gRPC and HTTP traffic.
It uses a concept of backends (see gRPC, HTTP) that map onto K8S Services
. These define load balancing policies, middleware used for calls, and resolution. The backends have "warm" connections ready to receive inbound requests.
The inbound requests are directed to backends based on routes (see gRPC, HTTP). These match onto requests based on host, paths (services), headers (metadata). They also specify authorization requirements for the route to be taken.
Kedge can be accessed then:
Following diagram shows POD to POD communication cross-cluster.
Following diagram shows the routing done by forward proxy called winch (client). In this example kedge OIDC auth is enabled to support corp use cases (per backend access controlled by permissions stored in custom IDToked claim). It can be also switched to just client certificate verification as in the diagram above.
NOTE: Any auth which is required by Service/Pod B needs to configured on winch due to clients blocking sending auth headers via plain HTTP, even over local network (e.g kubectl).
Kedge package is using glide for vendoring.
Please see
- the server for an actual guide.
- the winch (client) for a local forward proxy targeting kedge.
The project is still in testing (alpha) state. APIs can change. For status, see CHANGELOG
The following features and items are planned:
Kedge Service:
- - example Kubernetes YAML files (deployment, config maps)
- - TLS configuration (CA chains, etc.) for gRPC and HTTP backends
- - "adhoc routes" - support for HTTP Forward Proxying to an arbitrary (but filtered) SRV destination without a backend - calling pods
- - support for K8S auto-discovery of service backends based off metadata
- - support for TLS client certificate authentication on routes (metadata matches)
- - similar to above but for Open ID Connect: Support for different OIDC permission per route (group match)
- - support for load balanced CONNECT method proxying for TLS passthrough to backends - if needed
Winch (kedge client):
- - gRPC forward Proxy.
- - add auto-configuration for browser to use our PAC (WPAD)
- - reading of TLS client certs from ~/.config/kedge
kedge
is released under the Apache 2.0 license. See LICENSE.txt.