New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: CNI initcontainer full proxy #9625
Comments
The CNI plugin creates iptables rules to route all the egress traffic through |
Hello, I believe with the CNI plugin running as a daemonset with |
I think yes, it works for the |
@tamilhce you're welcome to try this approach, but I'm skeptical that it will work as you hope. My expectation is that the pod won't actually start until the CNI is initialized. If you do try to defer this configuration until after init containers run, I'm not sure how you can guarantee that this initialization happens before the application pod starts. I guess you'd need to add some init container that blocks until the iptables are configured? There's a lot of moving pieces here. I think this warrants some experimentation, but we'd need a more detailed understanding of how this would work before we can say what we'll actually merge. |
Any update on this by any chance? |
@mamjong I'd be curious if @tamilhce has managed to give their poc a try. I'm also skeptical that it would work, but if it does, I think we're all for having it in. My skepticism comes from the fact that CNI plugins, in general, are used to create the sandbox and network namespace for a pod. Like mentioned above, I'm not sure there's a way to halt the CNI plugin execution while containers run. Containers need to have their network initialized before being started. Plugins are also generally chained and executed in-order, I'm not sure we have any guarantees that this behaviour wouldn't affect any plugins that run after our own CNI plugin. There's a lot to unpack here. |
I apologize for the delay in responding. I was wrong in my assumption. I did not find a way to halt the CNI Plugin, as @mamjong mentioned. |
Hello, In my original configuration before we enabled CNI, the grafana Since I'm not clear from the responses so far on why the So in other words, I don't understand why a new boolean pod annotation couldn't be created to inject the same |
|
Ah, ok. I realize I misinterpreted the fact that the init containers were working before as being due to the proxy init container, but it seems maybe that the init containers simply were running before the proxy init applied the iptables rules, which allowed it to work but the traffic wasn't visible in linkerd. Thanks for clarifying that :) |
From https://kubernetes.io/docs/concepts/workloads/pods/init-containers/:
So, it's unfortunately not possible for an init container to start a proxy that is usable by other init containers. |
As a workaround, instead of |
Hi @wc-s. Unfortunately, this is not possible. |
@adleong got it thanks. Yea kinda suspected that'd be the case. Then it does seem like we must either skip-outbound-ports, or use the linkerd init container (and somehow make sure that the it is the last init container to be run). |
Kubernetes doesn't guarantee startup order, so skip-outbound-ports is the only option. |
k8s runs the init containers sequentially in the order in which they are defined in the manifest. So I think the linkerd proxy injector can try to insert the linkerd init container as the last init container? For comparison, hashicorp's vault agent injector has an annotation "vault.hashicorp.com/agent-init-first", that makes it try to inject the vault init container as the first init container. (https://www.vaultproject.io/docs/platform/k8s/injector/annotations) |
For what it's worth Linkerd already inserts Keep in mind this doesn't guarantee |
Istio has the same problem with CNI and initContainer and besides the "Set the uid of the init container to 1337 using runAsUser. 1337 is the uid used by the sidecar proxy. Traffic sent by this uid is not captured by the Istio’s iptables rule. Application container traffic will still be captured as usual." Is it possible to do sth similar in Linkerd? |
@bartwitkowski Yes, it should be possible to use the proxy's UID (2102, i believe?) to accomplish the same outcome. |
@olix0r It works like a charm! Just tested it. The Linkerd documentation should be updated because that is the best workaround for this problem. |
Great to hear @bartwitkowski . Where do you think is the best place to document this? Can you file a linkerd/website issue to help us track it please? |
Wow, thanks I wasn't aware of this before! Just to confirm I understand correctly, I need to add/change If the initContainer requires to be run as root or some other specific UID for some reason, then this wouldn't work for that case, is that correct? |
Correct. Also, if you run other non-init containers with this UID, they will not be a part of the mesh. |
Better late then never linkerd/website#1512 ;-). |
This PR adds a section titled "Allowing initContainer networking" to the "CNI Plugin" Feature documentation. Intended to address #1512 and [linkerd2 issue #9625](linkerd/linkerd2#9625) Signed-off-by: Jeremy Chase <jeremy.chase@gmail.com>
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
What problem are you trying to solve?
In #8100 I discussed how to work around an issue with initContainers that need functioning network connectivity during the init phase of the pod's lifecycle in Prometheus, and the workaround currently is to skip the outbound ports that need to communicate during this phase so that the proxy is bypassed since it isn't up until later in the lifecycle. Since the CNI forwards ports to the proxy outside of the lifecycle of any individual kubernetes resource, containers are unable to connect until the proxy is running (unless you skip outbound ports).
Unfortunately this means that for all of the containers in the pod, we lose that visibility, and for port 443 outbound, that is suboptimal.
This is additionally evidenced by the need for the proxy await flag for various apps, however I think this feature won't impact that issue in any way.
How should the problem be solved?
What I was thinking is that it would be great if we can have a running proxy in the init phase which can be told to shutdown once the work that requires it is completed.
This way, we have a proxy for the init containers and it shuts down, and then the regular containers starts up with their own proxy that stays up for the life of the pod.
Any alternatives you've considered?
We're currently skipping the outbound port 443, which defeats the purpose of using linkerd.
How would users interact with this feature?
Potentially a new annotation which tells the proxy injector to inject a proxy in the initContainers of the resource.
Would you like to work on this feature?
No response
The text was updated successfully, but these errors were encountered: