Transparent proxy injection #1
Conversation
* Add script which generates iptables rules to forward traffic to a daemonset linkerd * Add Dockerfile to build this initContainer * Add go script to inject this initContainer into the user's config
README.md
Outdated
| ``` | ||
|
|
||
| It is based on Istio's method of | ||
| [injecting sidecars](https://github.com/istio/pilot/blob/master/doc/proxy-injection.md), |
There was a problem hiding this comment.
Super minor, but since this code is in flux right now, maybe consider pinning this to a specific release tag, rather than master. How about https://github.com/istio/pilot/blob/stable-a632657/doc/proxy-injection.md?
There was a problem hiding this comment.
ooh, yeah that's a good idea! thanks!
README.md
Outdated
| more directly, but this seems to be in transit right now. This `prepare_proxy.sh` | ||
| sets up iptables rules for transparently proxying requests to a Daemonset linkerd | ||
| (rather than a sidecar proxy, which Istio | ||
| [currently uses](https://github.com/istio/pilot/blob/master/docker/prepare_proxy.sh)). |
There was a problem hiding this comment.
Same comment goes for here (and the rest of the github.com/istio/pilot links in this diff): https://github.com/istio/pilot/blob/stable-a632657/docker/prepare_proxy.sh
example/helloworld.yaml
Outdated
| @@ -0,0 +1,88 @@ | |||
| --- | |||
There was a problem hiding this comment.
maybe name this hello-world.yml to match the linkerd-examples examples
| }, | ||
| }, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
Could you add this env section to the comment at the top of the file?
I'm a little concerned that this means this doesn't work in minikube? It's not a blocker for this initial PR, but I definitely am interested in finding a way to support minikube.
There was a problem hiding this comment.
Yeahhhh agreed. Since minikube has one node, maybe we could use the l5d service VIP in the iptables rules rather than the host ip (which we can't get in minikube)?
So I can get this to run in minikube by doing the following, though it's a bit much to ask a user to do this:
Modify prepare_proxy.sh to use DNAT to l5d service VIP:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to ${L5D_SERVICE_HOST}:${LINKERD_PORT} -m comment --comment "istio/dnat-to-daemonset-l5d"
Build a linkerd/istio-init docker image locally and use that.
Use inject.go or manually insert the initContainer section in your pod spec. Make sure to remove imagePullPolicy: Always from this section though.
Deploy your modified yaml. Then:
L5D_PORT=$(kubectl get svc l5d -o jsonpath="{.spec.ports[0].nodePort}")
curl -v $(minikube ip):$L5D_PORT -H "Host: hello"
I was just talking to @adleong about this and maybe we can add a flag to inject.go so that people can run in minikube without having to build their own image for this.
There was a problem hiding this comment.
Okay added a -runInMinikube in 2a128ea
docker/Dockerfile
Outdated
| # Build linkerd inject image | ||
| # | ||
| # docker build -t buoyantio/istio-init:v1 . | ||
| # docker push buoyantio/istio-init:v1 |
There was a problem hiding this comment.
How about putting this at linkerd/istio-init instead?
Add env section to comment in inject.go rename helloworld.yaml to hello-world.yml use a linkerd/istio-init image name
docker/prepare_proxy.sh
Outdated
|
|
||
| if [ "$RUN_IN_MINIKUBE" = true ]; then | ||
| # Forward traffic to the linkerd service VIP on the single minikube node | ||
| iptables -t nat -A OUTPUT -p tcp -j DNAT --to ${L5D_SERVICE_HOST}:${LINKERD_PORT} -m comment --comment "istio/dnat-to-minikube-l5d" |
There was a problem hiding this comment.
I'm a little confused, where is L5D_SERVICE_HOST set?
There was a problem hiding this comment.
Kubernetes creates these env variables (https://kubernetes.io/docs/concepts/containers/container-environment-variables/)
This does assume we've named the linkerd service "l5d" - so I should probably explicitly pass in the service name
|
|
|
or maybe |
Transparently proxy all outgoing requests to a daemonset linkerd via iptables rules (supplied by an init container).
This only looks big because of /vendor. Relevant code is in ce4887e.
This is based on istioctl's proxy injection (they run a sidecar proxy and do transparent proxying via iptables rules).
All this is based heavily on istio's existing code and ideally this would go with that code somewhere, but I think it is being moved around right now. Would be nice to delete our inject.go in favour of something in that repo after it has settled.
Testing:
Ran inject.go against yamls in https://github.com/istio/pilot/tree/master/platform/kube/testdata.
Used our hello world example, ran it in minikube and in a 3 node GKE cluster.
Notes:
Fixes linkerd#1415