Enable tproxy for the Consul service mesh #481
Conversation
|
Is there some document or discussion somewhere about how the transparent proxy is going to work? E.g. which parts of Kubernetes DNS will it understand and support? |
|
Hey @whiskeysierra We're going to release the docs together with the next Helm, consul-k8s and consul beta release (probably this week). |
ishustava
force-pushed
the
enable-tproxy
branch
5 times, most recently
from
65883b7
to
ea74b72
Compare
ishustava
requested review from
a team,
lkysow and
kschoche
and removed request for
a team
* add new -enable-transparent-proxy flag to inject-connect command, which will enable all transparent proxy mode for all applications running on the Consul service mesh. * add a new pod annotation consul.hashicorp.com/transparent-proxy to allow enabling or disabling transparent proxy mode. * endpoints-controller will configure proxy service registrations to enable transparent proxy when the above flag is passed or when tproxy annotation is set. It will also add service's cluster IP to both the service and proxy registrations as a tagged address so that Consul can configure Envoy filter traffic based on that IP. * consul-connect-inject-init container will apply traffic redirection rules via consul connect redirect-traffic command which runs iptables under the hood. To run the command, the init container needs to both be a root user and have NET_ADMIN capability.
ishustava
force-pushed
the
enable-tproxy
branch
from
ea74b72
to
9d345f0
Compare
| export CONSUL_HTTP_ADDR="${HOST_IP}:8500" | ||
| export CONSUL_GRPC_ADDR="${HOST_IP}:8502" | ||
| consul-k8s connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ | ||
| -consul-service-namespace="default" \ |
There was a problem hiding this comment.
no changes needed here, just a general comment that its kinda reading weird now that we have consul-service-namespace and namespace used across the various connect commands now, I think they all mean the same thing but obv we cannot change them on the consul side.
There was a problem hiding this comment.
Yeah, the problem is that some of these are consul cli flags and some are flags for consul-k8s commands. For consul, there is only one namespace (the consul one), whereas in consul-k8s, it could be either consul or k8s namespace and so we need to disambiguate. Not sure if there is a way around it.
subcommand/inject-connect/command.go
Outdated
| @@ -150,6 +153,8 @@ func (c *Command) init() { | |||
| c.flagSet.StringVar(&c.flagCrossNamespaceACLPolicy, "consul-cross-namespace-acl-policy", "", | |||
| "[Enterprise Only] Name of the ACL policy to attach to all created Consul namespaces to allow service "+ | |||
| "discovery across Consul namespaces. Only necessary if ACLs are enabled.") | |||
| c.flagSet.BoolVar(&c.flagEnableTransparentProxy, "enable-transparent-proxy", false, | |||
There was a problem hiding this comment.
Is the plan to keep this disabled by default in master?
There was a problem hiding this comment.
It'll default to true in the helm chart. I suppose we can default it true here as well for consistency.
| -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml | ||
|
|
||
| {{- if .EnableTransparentProxy }} | ||
|
|
There was a problem hiding this comment.
This was here intentionally to allow an extra newline between this and the previous command. I didn't want the extra newline after envoy bootstrap command when tproxy was disabled. I didn't find a way to do it with go template. I know it's kind of silly, but it really bothered me 😄 😄
I'll add a comment saying that.
| -namespace="{{ .ConsulNamespace }}" \ | ||
| {{- end }} | ||
| -proxy-id="$(cat /consul/connect-inject/proxyid)" \ | ||
| -proxy-uid=0 |
There was a problem hiding this comment.
If someone changes rootUserAndGroupID will this also need to be updated? If so, maybe this should be added as a templated field.
There was a problem hiding this comment.
That one is only used by the init container, where is -proxy-uid is the user id of the Envoy proxy container. Once we don't run envoy as root, this will need to be changed. I think we can add it to the template once we support running envoy as non-root.
Note that to support tproxy and be able to run iptables we need that init container to be root, unfortunately.
| @@ -32,6 +33,7 @@ const ( | |||
| kubernetesSuccessReasonMsg = "Kubernetes health checks passing" | |||
| podPendingReasonMsg = "Pod is pending" | |||
There was a problem hiding this comment.
my ide says this isn't used anymore
There was a problem hiding this comment.
your IDE is 100% correct! great catch!
|
|
||
| proxyService.Proxy.Mode = api.ProxyModeTransparent | ||
| } else { | ||
| r.Log.Info("skipping syncing service cluster IP to Consul", "name", k8sService.Name, "ns", k8sService.Namespace, "ip", k8sService.Spec.ClusterIP) |
There was a problem hiding this comment.
should this be debug level? Wondering if there's tons of services the you don't want this. Although I guess this only applies to headless services?
There was a problem hiding this comment.
Hmm, yeah this applies only to headless services. But maybe still this should be debug because it's not really useful to you since everything will still work just using pod IPs. I'll change it to debug.
There was a problem hiding this comment.
or I won't 😄 It looks like zap logger doesn't have debug log level?
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
ishustava
force-pushed
the
enable-tproxy
branch
from
209249c
to
a523db7
Compare
Enable tproxy for the Consul service mesh. * add new -enable-transparent-proxy flag to inject-connect command, which will enable all transparent proxy mode for all applications running on the Consul service mesh. * add a new pod annotation consul.hashicorp.com/transparent-proxy to allow enabling or disabling transparent proxy mode. * endpoints-controller will configure proxy service registrations to enable transparent proxy when the above flag is passed or when tproxy annotation is set. It will also add service's cluster IP to both the service and proxy registrations as a tagged address so that Consul can configure Envoy filter traffic based on that IP. * consul-connect-inject-init container will apply traffic redirection rules via consul connect redirect-traffic command which runs iptables under the hood. To run the command, the init container needs to both be a root user and have NET_ADMIN capability.
Support custom CA cert for snapshot agent For users running an S3 compatible storage for the snapshot agent with their own CA cert they need a way to include that in the system certs so that the snapshot agent can connect with their URL.
Changes proposed in this PR:
which will enable all transparent proxy mode for all applications running
on the Consul service mesh.
enabling or disabling transparent proxy mode.
transparent proxy when the above flag is passed or when tproxy annotation is set.
It will also add service's cluster IP to both the service and proxy registrations
as a tagged address so that Consul can configure Envoy filter traffic based on that IP.
via consul connect redirect-traffic command which runs iptables under the hood.
To run the command, the init container needs to both be a root user and have
NET_ADMIN capability.
How I've tested this PR:
Ran acceptance tests in hashicorp/consul-helm#905. Note that we can't yet run enterprise acceptance tests as we're still waiting for some fixes to make it to the enterprise image
How I expect reviewers to test this PR:
ishustava/consul-k8s-dev:04-13-2021-65883b7and consul image:ishustava/consul-dev:tproxy-testChecklist: