-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some automatic Nomad and/or to Consul basic "Intentions" idea #18286
Comments
Hi @blinkinglight 👋 Thanks for the report! I think #9993 does cover the same idea you're suggestion right? So I'm going to close this one as duplicate, but feel free to add any additional comments and suggestions there 🙂 |
partly - yes. but not everyone uses / wants / needs to use consul and consul connect ;) |
Oh sorry, I misunderstood your initial comment 😄 Currently Nomad only provides service discovery functionality, which does control any of the networking configuration necessary to allow/deny traffic. This would require some kind of Nomad service mesh functionality, which we do not planned. But I will keep this open just in case. Thanks for the suggestion and apologies for the confusion 😅 |
"This would require some kind of Nomad service mesh functionality, which we do not planned." |
Not quite, it only creates some basic iptable rules to allow external traffic to allocations running in It doesn't really know where traffic is going to/from. |
thats why i suggesting new block ;) so it could know |
Hum...so that block you indicate to the client to create iptable rules to allow/deny traffic from the IP:port of one allocation to another? It sounds doable, but I'm worry about how this would scale. Managing iptable rules is quite tricky and slow 😅 |
erm. atleast ip to/from ip and if its not defined - nomad should do things same as now
yeah, i know that iptables are slow ;) but "how to scale" ? simple. upgrade to consul connect, other cni network etc. |
btw - weave-npc ( sadly in k8s ) uses ipset and iptables. so maybe it could be useful |
I think that would be too coarse since multiple services can be running on the same machine, so blocking an entire IP because one service is not allowed to talk to another specific service may prevent other traffic that is allowed.
I'm not sure how |
how about weave or other CNI network ? each service could have its own IP reachable between servers ( or maybe docker network on vlan )
|
Once you get to specific CNI plugins then traffic policies are outside of the scope of Nomad. For example, Cilium+Netreap has Cilium Policies and, as you mentioned, Consul Service Mesh has intentions. It would not be feasible for Nomad to adjust and configure network policies for specific CNI plugins. |
do nomad have event when it gets IP from driver of service (with metadata, name space etc.) ? that would be more than enough to write plugin I think |
somehow i missed "serviceregistered" events. found them ;) |
hey,
and found 2 problems to work in that way: but concept kind of works.
so curious, if it can happen in nomad as core feature? ;) p.s. - it plays very nice with DNS+nomad service discovery ( service.namespace.service.nomad ) |
Wouldn't Weave be responsible for these? I'm not too familiar with CNI/custom network world, so apologies for any silly questions 😅 |
https://github.com/weaveworks/weave/blob/8c8476381d48820891356497bfcee6337e99a401/proxy/create_container_interceptor.go#L51 so, if you specify network_mode = "weave" - it gets IP from predefined IP range from network interface / ipam and ignores WEAVE_CIDR if you specify network_mode = bridge - and WEAVE_CIDR then nomad gets in its registry not weave IP so...
the problem i found that if you create CNI weave network with lets say 10.0.0.0/8 and you use network_mode weave, you cant specify smaller peace of it so it will allocate ip from /8. so my idea is but i am also not sure how it looks in system design when Docker Driver calls custom IPAM server with /8 and asks smaller peace for scope lets say /24 and then calls network_mode ="dockernetwork" + --ip [allocatedip] . if needed - allocates aditional IP's from scopes in "link to" in that way it will work with weave, custom user defined network on -o parent=vlan123 etc. thats really challenging task, because we need to manage |
My primary idea looks like this:
scope - app in same scope could talk to each other
ingress/egress - could be controlled in scope or without scope
loadbalanceme - iamloadbalancer could reach this node ( lets 1 balancer talk to 3 apps isolated from each other but not load balancer)
this block could be transfered to Consul intentions
problem - iptables / ipset rules ( open services )
The text was updated successfully, but these errors were encountered: