Add inject flag for skipping outbound ports #38
Conversation
|
I spoke to @klingerf about this in person and he brought up the very good point that multiple different downstreams may all use the same port number but speak different protocols. For example, you may have a downstream A that listens for gRPC on port 7777 and a downstream B that listens for HTTP/1.1 on port 7777. This change doesn't allow you to differentiate between the two and forces you to skip the outbound proxy for both or neither. An alternative to this would be to allow skipping the outbound proxy based on IP ranges instead of by port. Unfortunately, for service-to-service traffic in scheduled environments like Kubernetes, there is no fixed IP address for a given downstream. Given this, I think I'd like to move forward with this change as-is. This definitely doesn't address the issue where multiple downstreams may use the same port number and can't be individually excluded from the proxy, but this is at least potentially work-around-able by changing your services to use unique ports. A more complete solution will come later when the Conduit proxy is able to transparently proxy arbitrary TCP traffic. |
proxy-init/cmd/root.go
Outdated
| @@ -42,7 +43,8 @@ func init() { | |||
| RootCmd.PersistentFlags().IntVarP(&outgoingProxyPort, "outgoing-proxy-port", "o", -1, "Port to redirect outgoing traffic") | |||
| RootCmd.PersistentFlags().BoolVar(&simulateOnly, "simulate", false, "Don't execute any command, just print what would be executed") | |||
| RootCmd.PersistentFlags().IntSliceVarP(&portsToRedirect, "ports-to-redirect", "r", make([]int, 0), "Port to redirect to proxy, if no port is specified then ALL ports are redirected") | |||
| RootCmd.PersistentFlags().IntSliceVarP(&portsToIgnore, "ports-to-ignore", "i", make([]int, 0), "Port to ignore and not redirect to proxy. This has higher precedence than any other parameters.") | |||
| RootCmd.PersistentFlags().IntSliceVar(&inboundPortsToIgnore, "inbound-ports-to-ignore", make([]int, 0), "Inound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.") | |||
|
I have added an integration test for this, but the test is not yet passing and I haven't figured out why. |
|
I've tested this branch like this: It fails with all sorts of crazy errors. Looking at the init-container log, I see that the iptables setup logic has failed but the container didn't abort: I confirmed this locally: So if the To get this moving for the release, I've changed the So, unless we have any other requirements for this change, I'd 👍 it for now and merge. |
pcalcado
force-pushed
the
alex/skip-outbound-ports
branch
from
97c2652
to
971c872
Compare
pcalcado
force-pushed
the
alex/skip-outbound-ports
branch
from
971c872
to
b9ab65a
Compare
This branch should not make any functional changes.
This branch makes two minor refactorings to the `client` module in
`control::destination::background`:
1. Remove the `AddOrigin` middleware and replace it with the
`tower-add-origin` crate from `tower-http`. These middlewares are
functionally identical, but the Tower version has tests.
2. Change `ClientService` from a type alias to a tuple struct. This
means that some of the middleware that are used only in this module
(`LogErrors` and `Backoff`) are no longer part of a publicly visible
type and can be made private to the module.
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Add the
--skip-outbound-portsflag toconduit inject. This flag accepts a comma separated list of ports. When the application sends traffic to one of these ports, the sidecar proxy will be bypassed and the traffic will be sent directly to the original destination. This is useful for when an application sends traffic that the Conduit proxy does not support such as HTTP/1.1 or raw TCP.