feat(transparent-proxy): add more powerful `--exclude-outbound-ports-…

…for-uids` More possibility for wildcarding to make it easy to exclude everything for a uid Fix multiport and invalid list of uids Signed-off-by: Charly Molter <[email protected]>
kumahq · Oct 3, 2023 · 242409b · 242409b
1 parent fb92b77
commit 242409b
Show file tree

Hide file tree

Showing 21 changed files with 436 additions and 233 deletions.
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -13,6 +13,12 @@ does not have any particular instructions.
 The configuration: `Metrics.Mesh.MinResyncTimeout` and `Metrics.Mesh.MaxResyncTimeout` are replaced by `Metrics.Mesh.MinResyncInterval` and `Metrics.Mesh.FullResyncInterval`.
 You can still use the current configs but it will be removed in the future.
 
+### Deprecated argument
+
+Parameters `--exclude-outbound-tcp-ports-for-uids` and `--exclude-outbound-udp-ports-for-uids` are now merged into `--exclude-outbound-ports-for-uids` for `kumactl install transparent-proxy`.
+We've also added the matching Kubernetes annotation: `traffic.kuma.io/exclude-outbound-ports-for-uids`.
+The previous versions will still work but will be removed in the future.
+
 ### **Breaking changes**
 
 #### Removal of service field in Dataplane outbound

diff --git a/app/kumactl/cmd/completion/testdata/bash.golden b/app/kumactl/cmd/completion/testdata/bash.golden
@@ -5362,6 +5362,10 @@ _kumactl_install_transparent-proxy()
     two_word_flags+=("--exclude-outbound-ports")
     local_nonpersistent_flags+=("--exclude-outbound-ports")
     local_nonpersistent_flags+=("--exclude-outbound-ports=")
+    flags+=("--exclude-outbound-ports-for-uids=")
+    two_word_flags+=("--exclude-outbound-ports-for-uids")
+    local_nonpersistent_flags+=("--exclude-outbound-ports-for-uids")
+    local_nonpersistent_flags+=("--exclude-outbound-ports-for-uids=")
     flags+=("--exclude-outbound-tcp-ports-for-uids=")
     two_word_flags+=("--exclude-outbound-tcp-ports-for-uids")
     local_nonpersistent_flags+=("--exclude-outbound-tcp-ports-for-uids")

diff --git a/app/kumactl/cmd/install/install_transparent_proxy.go b/app/kumactl/cmd/install/install_transparent_proxy.go
@@ -4,6 +4,7 @@
 package install
 
 import (
+	"fmt"
 	"net"
 	os_user "os/user"
 	"runtime"
@@ -28,6 +29,7 @@ type transparentProxyArgs struct {
 	ExcludeOutboundPorts           string
 	ExcludeOutboundTCPPortsForUIDs []string
 	ExcludeOutboundUDPPortsForUIDs []string
+	ExcludeOutboundPortsForUIDs    []string
 	UID                            string
 	User                           string
 	RedirectDNS                    bool
@@ -150,10 +152,6 @@ runuser -u kuma-dp -- \
 				args.RedirectDNS = true
 			}
 
-			if args.DNSUpstreamTargetChain != "RETURN" {
-				_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] `--redirect-dns-upstream-target-chain` is deprecated, please avoid using it"))
-			}
-
 			if args.EbpfEnabled {
 				if args.EbpfInstanceIP == "" {
 					return errors.Errorf("--ebpf-instance-ip flag has to be specified --ebpf-enabled is provided")
@@ -164,19 +162,34 @@ runuser -u kuma-dp -- \
 				}
 
 				if args.StoreFirewalld {
-					_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] --store-firewalld will be ignored when --ebpf-enabled is being used"))
+					_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] --store-firewalld will be ignored when --ebpf-enabled is being used\n"))
 				}
 
 				if args.SkipDNSConntrackZoneSplit {
-					_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] --skip-dns-conntrack-zone-split will be ignored when --ebpf-enabled is being used"))
+					_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] --skip-dns-conntrack-zone-split will be ignored when --ebpf-enabled is being used\n"))
+				}
+			}
+			// Backward compatibility
+			if len(args.ExcludeOutboundPorts) > 0 && (len(args.ExcludeOutboundUDPPortsForUIDs) > 0 || len(args.ExcludeOutboundTCPPortsForUIDs) > 0) {
+				return errors.Errorf("--exclude-outbound-ports-for-uids set you can't use --exclude-outbound-tcp-ports-for-uids and --exclude-outbound-udp-ports-for-uids anymore")
+			}
+			if len(args.ExcludeOutboundTCPPortsForUIDs) > 0 {
+				_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] flag --exclude-outbound-tcp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead\n"))
+				for _, v := range args.ExcludeOutboundTCPPortsForUIDs {
+					args.ExcludeOutboundPortsForUIDs = append(args.ExcludeOutboundPortsForUIDs, fmt.Sprintf("tcp:%s", v))
+				}
+			}
+			if len(args.ExcludeOutboundUDPPortsForUIDs) > 0 {
+				_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] flag --exclude-outbound-udp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead\n"))
+				for _, v := range args.ExcludeOutboundUDPPortsForUIDs {
+					args.ExcludeOutboundPortsForUIDs = append(args.ExcludeOutboundPortsForUIDs, fmt.Sprintf("udp:%s", v))
 				}
 			}
-
 			if err := configureTransparentProxy(cmd, &args); err != nil {
 				return err
 			}
 
-			_, _ = cmd.OutOrStdout().Write([]byte("# transparent proxy set up successfully\n"))
+			_, _ = cmd.OutOrStdout().Write([]byte("# Transparent proxy set up successfully, you can now run kuma-dp using transparent-proxy.\n"))
 			return nil
 		},
 	}
@@ -190,7 +203,7 @@ runuser -u kuma-dp -- \
 	cmd.Flags().StringVar(&args.ExcludeInboundPorts, "exclude-inbound-ports", args.ExcludeInboundPorts, "a comma separated list of inbound ports to exclude from redirect to Envoy")
 	cmd.Flags().StringVar(&args.ExcludeOutboundPorts, "exclude-outbound-ports", args.ExcludeOutboundPorts, "a comma separated list of outbound ports to exclude from redirect to Envoy")
 	cmd.Flags().StringVar(&args.User, "kuma-dp-user", args.UID, "the user that will run kuma-dp")
-	cmd.Flags().StringVar(&args.UID, "kuma-dp-uid", args.UID, "the UID of the user that will run kuma-dp")
+	cmd.Flags().StringVar(&args.UID, "kuma-dp-uid", args.UID, "the uid of the user that will run kuma-dp")
 	cmd.Flags().BoolVar(&args.RedirectDNS, "redirect-dns", args.RedirectDNS, "redirect only DNS requests targeted to the servers listed in /etc/resolv.conf to a specified port")
 	// Deprecation issue: https://github.com/kumahq/kuma/issues/4759
 	cmd.Flags().BoolVar(&args.RedirectAllDNSTraffic, "redirect-all-dns-traffic", args.RedirectAllDNSTraffic, "redirect all DNS traffic to a specified port, unlike --redirect-dns this will not be limited to the dns servers identified in /etc/resolve.conf")
@@ -213,8 +226,9 @@ runuser -u kuma-dp -- \
 	cmd.Flags().StringVar(&args.EbpfCgroupPath, "ebpf-cgroup-path", args.EbpfCgroupPath, "the path of cgroup2")
 	cmd.Flags().StringVar(&args.EbpfTCAttachIface, "ebpf-tc-attach-iface", args.EbpfTCAttachIface, "name of the interface which TC eBPF programs should be attached to")
 
-	cmd.Flags().StringArrayVar(&args.ExcludeOutboundTCPPortsForUIDs, "exclude-outbound-tcp-ports-for-uids", []string{}, "tcp outbound ports to exclude for specific UIDs in a format of ports:uids where both ports and uids can be a single value, a list, a range or a combination of all, e.g. 3000-5000:103,104,106-108 would mean exclude ports from 3000 to 5000 for UIDs 103, 104, 106, 107, 108")
-	cmd.Flags().StringArrayVar(&args.ExcludeOutboundUDPPortsForUIDs, "exclude-outbound-udp-ports-for-uids", []string{}, "udp outbound ports to exclude for specific UIDs in a format of ports:uids where both ports and uids can be a single value, a list, a range or a combination of all, e.g. 3000-5000:103,104,106-108 would mean exclude ports from 3000 to 5000 for UIDs 103, 104, 106, 107, 108")
+	cmd.Flags().StringArrayVar(&args.ExcludeOutboundTCPPortsForUIDs, "exclude-outbound-tcp-ports-for-uids", []string{}, "[DEPRECATED (use --exclude-outbound-ports-for-uids)] tcp outbound ports to exclude for specific uids in a format of ports:uids where ports can be a single value, a list, a range or a combination of all and uid can be a value or a range e.g. 53,3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for uids 106, 107, 108")
+	cmd.Flags().StringArrayVar(&args.ExcludeOutboundUDPPortsForUIDs, "exclude-outbound-udp-ports-for-uids", []string{}, "[DEPRECATED (use --exclude-outbound-ports-for-uids)] udp outbound ports to exclude for specific uids in a format of ports:uids where ports can be a single value, a list, a range or a combination of all and uid can be a value or a range e.g. 53, 3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for uids 106, 107, 108")
+	cmd.Flags().StringArrayVar(&args.ExcludeOutboundPortsForUIDs, "exclude-outbound-ports-for-uids", []string{}, "outbound ports to exclude for specific uids in a format of protocol:ports:uids where protocol and ports can be omitted or have value tcp or udp and ports can be a single value, a list, a range or a combination of all or * and uid can be a value or a range e.g. 53,3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for both TCP and UDP for uids 106, 107, 108")
 	cmd.Flags().StringArrayVar(&args.VnetNetworks, "vnet", []string{}, "virtual networks in a format of interfaceNameRegex:CIDR split by ':' where interface name doesn't have to be exact name e.g. docker0:172.17.0.0/16, br+:172.18.0.0/16, iface:::1/64")
 	cmd.Flags().UintVar(&args.Wait, "wait", args.Wait, "specify the amount of time, in seconds, that the application should wait for the xtables exclusive lock before exiting. If the lock is not available within the specified time, the application will exit with an error")
 	cmd.Flags().UintVar(&args.WaitInterval, "wait-interval", args.WaitInterval, "flag can be used to specify the amount of time, in microseconds, that iptables should wait between each iteration of the lock acquisition loop. This can be useful if the xtables lock is being held by another application for a long time, and you want to reduce the amount of CPU that iptables uses while waiting for the lock")
@@ -253,36 +267,35 @@ func configureTransparentProxy(cmd *cobra.Command, args *transparentProxyArgs) e
 	}
 
 	cfg := &config.TransparentProxyConfig{
-		DryRun:                         args.DryRun,
-		Verbose:                        args.Verbose,
-		RedirectPortOutBound:           args.RedirectPortOutBound,
-		RedirectInBound:                args.RedirectInbound,
-		RedirectPortInBound:            args.RedirectPortInBound,
-		RedirectPortInBoundV6:          args.RedirectPortInBoundV6,
-		ExcludeInboundPorts:            args.ExcludeInboundPorts,
-		ExcludeOutboundPorts:           args.ExcludeOutboundPorts,
-		ExcludeOutboundTCPPortsForUIDs: args.ExcludeOutboundTCPPortsForUIDs,
-		ExcludeOutboundUDPPortsForUIDs: args.ExcludeOutboundUDPPortsForUIDs,
-		UID:                            uid,
-		GID:                            gid,
-		RedirectDNS:                    args.RedirectDNS,
-		RedirectAllDNSTraffic:          args.RedirectAllDNSTraffic,
-		AgentDNSListenerPort:           args.AgentDNSListenerPort,
-		DNSUpstreamTargetChain:         args.DNSUpstreamTargetChain,
-		SkipDNSConntrackZoneSplit:      args.SkipDNSConntrackZoneSplit,
-		EbpfEnabled:                    args.EbpfEnabled,
-		EbpfInstanceIP:                 args.EbpfInstanceIP,
-		EbpfBPFFSPath:                  args.EbpfBPFFSPath,
-		EbpfCgroupPath:                 args.EbpfCgroupPath,
-		EbpfTCAttachIface:              args.EbpfTCAttachIface,
-		EbpfProgramsSourcePath:         args.EbpfProgramsSourcePath,
-		VnetNetworks:                   args.VnetNetworks,
-		Stdout:                         cmd.OutOrStdout(),
-		Stderr:                         cmd.OutOrStderr(),
-		Wait:                           args.Wait,
-		WaitInterval:                   args.WaitInterval,
-		MaxRetries:                     args.MaxRetries,
-		SleepBetweenRetries:            args.SleepBetweenRetries,
+		DryRun:                    args.DryRun,
+		Verbose:                   args.Verbose,
+		RedirectPortOutBound:      args.RedirectPortOutBound,
+		RedirectInBound:           args.RedirectInbound,
+		RedirectPortInBound:       args.RedirectPortInBound,
+		RedirectPortInBoundV6:     args.RedirectPortInBoundV6,
+		ExcludeInboundPorts:       args.ExcludeInboundPorts,
+		ExcludeOutboundPorts:      args.ExcludeOutboundPorts,
+		ExcludedOutboundsForUIDs:  args.ExcludeOutboundPortsForUIDs,
+		UID:                       uid,
+		GID:                       gid,
+		RedirectDNS:               args.RedirectDNS,
+		RedirectAllDNSTraffic:     args.RedirectAllDNSTraffic,
+		AgentDNSListenerPort:      args.AgentDNSListenerPort,
+		DNSUpstreamTargetChain:    args.DNSUpstreamTargetChain,
+		SkipDNSConntrackZoneSplit: args.SkipDNSConntrackZoneSplit,
+		EbpfEnabled:               args.EbpfEnabled,
+		EbpfInstanceIP:            args.EbpfInstanceIP,
+		EbpfBPFFSPath:             args.EbpfBPFFSPath,
+		EbpfCgroupPath:            args.EbpfCgroupPath,
+		EbpfTCAttachIface:         args.EbpfTCAttachIface,
+		EbpfProgramsSourcePath:    args.EbpfProgramsSourcePath,
+		VnetNetworks:              args.VnetNetworks,
+		Stdout:                    cmd.OutOrStdout(),
+		Stderr:                    cmd.ErrOrStderr(),
+		Wait:                      args.Wait,
+		WaitInterval:              args.WaitInterval,
+		MaxRetries:                args.MaxRetries,
+		SleepBetweenRetries:       args.SleepBetweenRetries,
 	}
 
 	if args.UseTransparentProxyEngineV1 {