Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to exclude inbound and outbound traffic when using tproxy via annotations #506

Merged
merged 1 commit into from
Apr 29, 2021
Merged

Allow to exclude inbound and outbound traffic when using tproxy via annotations #506

merged 1 commit into from
Apr 29, 2021

Conversation

ishustava
Copy link
Contributor

@ishustava ishustava commented Apr 27, 2021
edited
Loading

Changes proposed in this PR:

This PR depends on hashicorp/consul#10134

We allow the exclusion of the following:

  • Exclude inbound ports
  • Exclude outbound ports
  • Exclude outbound CIDRs
  • Exclude UIDs

How I've tested this PR:

I tested it manually. Here are the steps I followed

Install the helm chart on kind:

helm install iryna --set connectInject.enabled=true  --set server.replicas=1 hashicorp/consul --set global.imageK8S=ishustava/consul-k8s-dev:04-27-2021-b4826d4 --set global.image=ishustava/consul-dev:iptables-exclude --version 0.32.0-beta1

I've used the following to test these annotations:

  1. To test inbound port exclude static-server's inbound port 8080 on the static-server deployment
  2. To test outbound port exclude port 80 so we can reach google.com from the static-client deployment
  3. To test outbound IPs set consul client's host IP (172.18.0.2 on kind) on the static-client deployment.

First, I deployed without annotations to check that I can't reach any of the above.

static-server.yaml:

apiVersion: v1
kind: Service
metadata:
  name: static-server
spec:
  selector:
    app: static-server
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: static-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: static-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: static-server
  template:
    metadata:
      name: static-server
      labels:
        app: static-server
      annotations:
        "consul.hashicorp.com/connect-inject": "true"
    spec:
      containers:
        - name: static-server
          image: docker.mirror.hashicorp.services/hashicorp/http-echo:latest
          args:
            - -text="hello world"
            - -listen=:8080
          ports:
            - containerPort: 8080
              name: http
      serviceAccountName: static-server
      terminationGracePeriodSeconds: 0

static-client.yaml:

apiVersion: v1
kind: Service
metadata:
  name: static-client
spec:
  selector:
    app: static-client
  ports:
    - port: 80
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: static-client
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: static-client
spec:
  replicas: 1
  selector:
    matchLabels:
      app: static-client
  template:
    metadata:
      name: static-client
      labels:
        app: static-client
      annotations:
        "consul.hashicorp.com/connect-inject": "true"
    spec:
      containers:
        - name: static-client
          image: tutum/curl:latest
          command: [ "/bin/sh", "-c", "--" ]
          args: [ "while true; do sleep 30; done;" ]
      serviceAccountName: static-client

Tried to reach the static server over pod IP and port 8080 from another pod:

$ kubectl exec ds/iryna-consul -- curl -s 10.244.0.14:8080
command terminated with exit code 56

Tried to reach google.com (on port 80) and consul API using the host IP from the static-client pod:

$ kubectl exec deploy/static-client -c static-client -- curl -s google.com
command terminated with exit code 56
$ kubectl exec deploy/static-client -c static-client -- curl -s 172.18.0.2:8500/v1/catalog/services
command terminated with exit code 56

Redeployed static-server and static-client with as follows:

kubectl patch deployment static-server -p '{"spec":{"template":{"metadata":{"annotations":{"consul.hashicorp.com/transparent-proxy-exclude-inbound-ports": "8080"}}}}}'

kubectl patch deployment static-client -p '{"spec":{"template":{"metadata":{"annotations":{"consul.hashicorp.com/transparent-proxy-exclude-outbound-ports": "80","consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs":"172.18.0.2"}}}}}'

Ran the commands again:

Note the new pod IP of the static-server.

$ kubectl exec ds/iryna-consul -- curl -s 10.244.0.18:8080
"hello world"

$ kubectl exec deploy/static-client -c static-client -- curl -s google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

$ kubectl exec deploy/static-client -c static-client -- curl -s 172.18.0.2:8500/v1/catalog/services
{"consul":[],"static-client":[],"static-client-sidecar-proxy":[],"static-server":[],"static-server-sidecar-proxy":[]}

How I expect reviewers to test this PR:

  • Code review
  • If you can, you could run through the same steps as I've outlined above.

Checklist:

  • Tests added
  • CHANGELOG entry added (HashiCorp engineers only, community PRs should not add a changelog entry)

@ishustava
Allow to exclude inbound and outbound traffic when using tproxy via a…
b4826d4 
…nnotations

We allow exclusion of the following:
* Exclude inbound ports
* Exclude outbound ports
* Exclude outbound CIDRs
* Exclude UIDs
@ishustava ishustava requested review from a team, lkysow and ndhanushkodi and removed request for a team April 27, 2021 23:31
ndhanushkodi
ndhanushkodi approved these changes Apr 29, 2021
View reviewed changes
Copy link
Contributor

@ndhanushkodi ndhanushkodi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, those steps worked great. Thanks for taking the time to detail those out, they can be turned straight into part of a learn guide!!

@ishustava ishustava merged commit 44bf5be into master Apr 29, 2021
@ishustava ishustava deleted the traffic-redirection-exclusions branch April 29, 2021 16:55
@ishustava ishustava mentioned this pull request Apr 29, 2021
Merged
2 tasks
ndhanushkodi pushed a commit to ndhanushkodi/consul-k8s that referenced this pull request Jul 9, 2021
@kschoche
remove unnecessary server ClusterRoles (hashicorp#506)
fddff4d 
* remove unnecessary server clusterRole/Bindings and add namespace to metadata
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lkysow lkysow lkysow approved these changes

@ndhanushkodi ndhanushkodi ndhanushkodi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ishustava @lkysow @ndhanushkodi