Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[iptables] Possibility to exclude port from iptables at control-plane level #7722

Closed
lukidzi opened this issue Sep 8, 2023 · 9 comments
Closed

[iptables] Possibility to exclude port from iptables at control-plane level #7722

lukidzi opened this issue Sep 8, 2023 · 9 comments
Labels
good first issue Good for newcomers kind/feature New feature triage/pending This issue will be looked at on the next triage meeting

Comments

@lukidzi
Copy link
Contributor

lukidzi commented Sep 8, 2023

Description

It would be nice if you could exclude some ports from routing at the global level. Lets say your whole cluster needs to report metrics to service at port 8126 but it cannot go through sidecar. You could globally exclude this for each init container.
@lukidzi lukidzi added triage/pending This issue will be looked at on the next triage meeting kind/feature New feature labels Sep 8, 2023
@lahabana lahabana removed the triage/pending This issue will be looked at on the next triage meeting label Sep 11, 2023
@lahabana
Copy link
Contributor

@lukidzi there's already --exclude-ports that is getting improved with: #7588

Is this something that doesn't work for you?

@lahabana lahabana added the triage/needs-information Reviewed and some extra information was asked to the reporter label Sep 11, 2023
@lukidzi
Copy link
Contributor Author

lukidzi commented Sep 13, 2023

Isn't it just for one sidecar by annotation? I thought about - what if I want to disable one port for all pods in the cluster/zone

@lukidzi lukidzi added triage/pending This issue will be looked at on the next triage meeting and removed triage/needs-information Reviewed and some extra information was asked to the reporter labels Sep 13, 2023
@jakubdyszkiewicz jakubdyszkiewicz added triage/accepted The issue was reviewed and is complete enough to start working on it good first issue Good for newcomers and removed triage/pending This issue will be looked at on the next triage meeting labels Sep 18, 2023
@lukidzi lukidzi removed their assignment Sep 18, 2023
@jijiechen
Copy link
Member

Let me take this one

@jijiechen
Copy link
Member

jijiechen commented Nov 6, 2023
edited
Loading

Isn't it just for one sidecar by annotation? I thought about - what if I want to disable one port for all pods in the cluster/zone

So the initial idea is to enlarge the scope that a port-excluding rule can apply to. Is it better to apply this scope at the Mesh level instead of the global control plane level?

One other question would be, should we also support excluding ports for inbound traffic?

The ports are taken into account by the kuma-init container which is auto injected. So the implementation will introduce a change to the injector:

  1. Add fields into API protocol of 'Mesh.Networking' object:
    1. Outbound.ExcludedPorts repeated uint32
    2. Inbound.ExcludedPorts repeated uint32
  2. Change behaviour of the injector:
    1. Fetch the Mesh object that the Pod/Namespace belongs to
    2. Read Mesh level settings and merge it with pod level settings (by annotations)
    3. Apply the result into init container generating

Any ideas?
@lahabana @lukidzi

@lahabana
Copy link
Contributor

lahabana commented Nov 6, 2023

There's multiple issues in adding fields to the dataplane object:

  • One assumption is that this works on both k8s and universal, we currently don't have a way to configure install tp from the cp.
  • Dataplane object is supposed to be dynamically updated

I feel like either we should use a k8s only primitive or let users do this themselves with a webhook.

One option could be to extend further ContainerPatch ? I know that there was another use case for adding volumes to pods systematically too.

@jijiechen
Copy link
Member

And by the way, it seems we currently do support a global configuration for Kubernetes based intallation:

  • yaml configuration: runtime.kubernetes.injector.sidecarContainer.waitForDataplaneReady
  • environment variable: kuma_runtime_kubernetes_sidecar_traffic_exclude_inbound_ports

See code in injector.go

Does this match the requirement? @lukidzi

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 5, 2024

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Feb 5, 2024
@jakubdyszkiewicz jakubdyszkiewicz removed the triage/stale Inactive for some time. It will be triaged again label Feb 5, 2024
@lahabana
Copy link
Contributor

@lukidzi can you answer @jijiechen question?

@lahabana lahabana added triage/pending This issue will be looked at on the next triage meeting and removed triage/accepted The issue was reviewed and is complete enough to start working on it labels Feb 27, 2024
@lukidzi
Copy link
Contributor Author

lukidzi commented Mar 5, 2024

@jijiechen You are right it seems to be supported with kuma_runtime_kubernetes_sidecar_traffic_exclude_inbound_ports and kuma_runtime_kubernetes_sidecar_traffic_exclude_outbound_ports

@lukidzi lukidzi closed this as completed Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers kind/feature New feature triage/pending This issue will be looked at on the next triage meeting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lahabana @jijiechen @jakubdyszkiewicz @lukidzi