From a79379cafca2399609e9552926e25ae266219941 Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Wed, 13 Nov 2024 17:01:56 +0100 Subject: [PATCH 1/8] fix liqo on raspbain os --- deployments/liqo/templates/liqo-proxy-deployment.yaml | 2 +- deployments/liqo/values.yaml | 2 +- pkg/utils/network/netmonitor/netmonitor.go | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/deployments/liqo/templates/liqo-proxy-deployment.yaml b/deployments/liqo/templates/liqo-proxy-deployment.yaml index d32a55a9c8..47756f6bf1 100644 --- a/deployments/liqo/templates/liqo-proxy-deployment.yaml +++ b/deployments/liqo/templates/liqo-proxy-deployment.yaml @@ -28,7 +28,7 @@ spec: securityContext: {{- include "liqo.podSecurityContext" . | nindent 8 }} containers: - - image: {{ .Values.proxy.image.name }}{{ include "liqo.suffix" $proxyConfig }}:{{ include "liqo.version" $proxyConfig }} + - image: {{ .Values.proxy.image.name }} imagePullPolicy: {{ .Values.pullPolicy }} name: {{ $proxyConfig.name }} securityContext: diff --git a/deployments/liqo/values.yaml b/deployments/liqo/values.yaml index 7058fc0bb0..c6296c50f5 100644 --- a/deployments/liqo/values.yaml +++ b/deployments/liqo/values.yaml @@ -637,7 +637,7 @@ proxy: priorityClassName: "" image: # -- Image repository for the proxy pod. - name: "ghcr.io/liqotech/proxy" + name: "thegrandpkizzle/envoy:1.26.1" # -- Custom version for the proxy image. If not specified, the global tag is used. version: "" service: diff --git a/pkg/utils/network/netmonitor/netmonitor.go b/pkg/utils/network/netmonitor/netmonitor.go index a9d7d8f1c6..5ed0e6f5c8 100644 --- a/pkg/utils/network/netmonitor/netmonitor.go +++ b/pkg/utils/network/netmonitor/netmonitor.go @@ -131,18 +131,22 @@ func InterfacesMonitoring(ctx context.Context, eventChannel chan event.GenericEv for { select { case updateLink := <-chLink: + klog.Info("Link update received") if options.Link != nil { handleLinkUpdate(&updateLink, options.Link, interfaces, eventChannel) } case updateAddr := <-chAddr: + klog.Info("Addr update received") if options.Addr != nil { handleAddrUpdate(&updateAddr, options.Addr, eventChannel) } case updateRoute := <-chRoute: + klog.Info("Route update received") if options.Route != nil { handleRouteUpdate(&updateRoute, options.Route, eventChannel) } case updateNft := <-chNft: + klog.Info("Nft update received") if updateNft != nil && options.Nftables != nil { handleNftUpdate(updateNft, options.Nftables, eventChannel) } From 4c8c09f6439374f11eec6a53082791548a1a7f7c Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Mon, 18 Nov 2024 12:22:36 +0000 Subject: [PATCH 2/8] golang http proxy --- cmd/proxy/main.go | 21 ++++++++++++++ pkg/proxy/connect.go | 64 +++++++++++++++++++++++++++++++++++++++++ pkg/proxy/types.go | 68 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 153 insertions(+) create mode 100644 cmd/proxy/main.go create mode 100644 pkg/proxy/connect.go create mode 100644 pkg/proxy/types.go diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go new file mode 100644 index 0000000000..98079075e4 --- /dev/null +++ b/cmd/proxy/main.go @@ -0,0 +1,21 @@ +package main + +import ( + "flag" + + "github.com/liqotech/liqo/pkg/proxy" + "k8s.io/klog/v2" +) + +func main() { + port := flag.Int("port", 8080, "port to listen on") + allowedHosts := flag.String("allowed-hosts", "", "comma separated list of allowed hosts") + + flag.Parse() + + p := proxy.New(*allowedHosts) + + if err := p.SetupProxy(*port); err != nil { + klog.Error(err) + } +} diff --git a/pkg/proxy/connect.go b/pkg/proxy/connect.go new file mode 100644 index 0000000000..0cbb6aad6b --- /dev/null +++ b/pkg/proxy/connect.go @@ -0,0 +1,64 @@ +package proxy + +import ( + "bufio" + "net" + "net/http" + "time" + "k8s.io/klog/v2" +) + +func (p *Proxy) handleConnect(c net.Conn) { + br := bufio.NewReader(c) + req, err := http.ReadRequest(br) + if err != nil { + klog.Errorf("error reading request: %v", err) + return + } + + if req.Method != http.MethodConnect { + response := &http.Response{ + StatusCode: http.StatusMethodNotAllowed, + ProtoMajor: 1, + ProtoMinor: 1, + } + response.Write(c) + c.Close() + return + } + + if !p.isAllowed(req.URL.Host) { + klog.Infof("host %s is not allowed", req.URL.Host) + + response := &http.Response{ + StatusCode: http.StatusForbidden, + ProtoMajor: 1, + ProtoMinor: 1, + } + response.Write(c) + return + } + + klog.Infof("handling CONNECT to %s", req.URL.Host) + + response := &http.Response{ + StatusCode: 200, + ProtoMajor: 1, + ProtoMinor: 1, + } + response.Write(c) + + destConn, err := net.DialTimeout("tcp", req.URL.Host, 30*time.Second) + if err != nil { + response := &http.Response{ + StatusCode: http.StatusRequestTimeout, + ProtoMajor: 1, + ProtoMinor: 1, + } + response.Write(c) + return + } + + go transfer(destConn, c) + go transfer(c, destConn) +} diff --git a/pkg/proxy/types.go b/pkg/proxy/types.go new file mode 100644 index 0000000000..5e3326bbba --- /dev/null +++ b/pkg/proxy/types.go @@ -0,0 +1,68 @@ +package proxy + +import ( + "fmt" + "io" + "net" + "strings" + + "k8s.io/klog/v2" +) + +type Proxy struct { + AllowedHosts []string +} + +func New(allowedHosts string) *Proxy { + ah := strings.Split(allowedHosts, ",") + // remove empty strings + for i := 0; i < len(ah); i++ { + if ah[i] == "" { + ah = append(ah[:i], ah[i+1:]...) + i-- + } + } + + return &Proxy{ + AllowedHosts: ah, + } +} + +func transfer(destination io.WriteCloser, source io.ReadCloser) { + defer destination.Close() + defer source.Close() + io.Copy(destination, source) +} + +func (p *Proxy) SetupProxy(port int) error { + klog.Infof("proxy listening on port %d", port) + listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + return err + } + defer listener.Close() + + for { + conn, err := listener.Accept() + if err != nil { + klog.Errorf("error accepting connection: %v", err) + continue + } + + go p.handleConnect(conn) + } +} + +func (p *Proxy) isAllowed(host string) bool { + if len(p.AllowedHosts) == 0 { + return true + } + + for _, allowedHost := range p.AllowedHosts { + klog.Infof("allowed host: %s", allowedHost) + if host == allowedHost { + return true + } + } + return false +} From 681aacad5d9e26cd5e00f3b18a343071cea13420 Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Mon, 18 Nov 2024 14:28:49 +0000 Subject: [PATCH 3/8] fixup! golang http proxy --- .github/workflows/integration.yml | 3 - build/proxy/Dockerfile | 1 - cmd/proxy/main.go | 9 ++- .../liqo/templates/liqo-proxy-configmap.yaml | 80 ------------------- .../liqo/templates/liqo-proxy-deployment.yaml | 10 +-- pkg/proxy/connect.go | 8 ++ pkg/proxy/types.go | 28 ++++--- 7 files changed, 33 insertions(+), 106 deletions(-) delete mode 100644 build/proxy/Dockerfile delete mode 100644 deployments/liqo/templates/liqo-proxy-configmap.yaml diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index bffb9f38e5..78087ead8c 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -99,9 +99,6 @@ jobs: id: set-architectures run: | ARCHITECTURES=${{ needs.configure.outputs.architectures }} - if [ "${{ matrix.component }}" == "proxy" ]; then - ARCHITECTURES=$(echo ${ARCHITECTURES} | sed 's/,linux\/arm\/v7//') - fi echo "ARCHITECTURES=${ARCHITECTURES}" >> $GITHUB_ENV - name: Set up QEMU uses: docker/setup-qemu-action@v3.2.0 diff --git a/build/proxy/Dockerfile b/build/proxy/Dockerfile deleted file mode 100644 index 2fcc76de4a..0000000000 --- a/build/proxy/Dockerfile +++ /dev/null @@ -1 +0,0 @@ -FROM envoyproxy/envoy:v1.32.0 diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go index 98079075e4..7aeafeff71 100644 --- a/cmd/proxy/main.go +++ b/cmd/proxy/main.go @@ -1,21 +1,26 @@ package main import ( + "context" "flag" + "os" "github.com/liqotech/liqo/pkg/proxy" "k8s.io/klog/v2" ) func main() { + ctx := context.Background() + port := flag.Int("port", 8080, "port to listen on") allowedHosts := flag.String("allowed-hosts", "", "comma separated list of allowed hosts") flag.Parse() - p := proxy.New(*allowedHosts) + p := proxy.New(*allowedHosts, *port) - if err := p.SetupProxy(*port); err != nil { + if err := p.Start(ctx); err != nil { klog.Error(err) + os.Exit(1) } } diff --git a/deployments/liqo/templates/liqo-proxy-configmap.yaml b/deployments/liqo/templates/liqo-proxy-configmap.yaml deleted file mode 100644 index 2f3632cb8a..0000000000 --- a/deployments/liqo/templates/liqo-proxy-configmap.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{- $proxyConfig := (merge (dict "name" "proxy" "module" "networking") .) -}} - -{{- if .Values.proxy.enabled }} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "liqo.prefixedName" $proxyConfig }} -{{- if .Values.proxy.service.annotations }} - annotations: - {{- toYaml .Values.proxy.service.annotations | nindent 4 }} -{{- end}} - labels: - {{- include "liqo.labels" $proxyConfig | nindent 4 }} -data: - config: | - admin: - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 9901 - static_resources: - listeners: - - name: listener_http - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: {{ .Values.proxy.config.listeningPort }} - access_log: - name: envoy.access_loggers.file - typed_config: - "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - path: /dev/stdout - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: local_route - virtual_hosts: - - name: local_service - domains: - - "*" - routes: - - match: - connect_matcher: - {} - route: - cluster: api_server - upgrade_configs: - - upgrade_type: CONNECT - connect_config: - {} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - clusters: - - name: api_server - connect_timeout: 1.25s - type: STRICT_DNS - respect_dns_ttl: true - dns_lookup_family: V4_ONLY - dns_refresh_rate: 300s - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: api_server - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: kubernetes.default - port_value: 443 - -{{- end }} diff --git a/deployments/liqo/templates/liqo-proxy-deployment.yaml b/deployments/liqo/templates/liqo-proxy-deployment.yaml index 47756f6bf1..1ff57d91e2 100644 --- a/deployments/liqo/templates/liqo-proxy-deployment.yaml +++ b/deployments/liqo/templates/liqo-proxy-deployment.yaml @@ -36,12 +36,10 @@ spec: ports: - containerPort: {{ .Values.proxy.config.listeningPort }} resources: {{- toYaml .Values.proxy.pod.resources | nindent 12 }} - volumeMounts: - - mountPath: /etc/envoy/envoy.yaml - name: config-volume - subPath: config {{- if or .Values.common.extraArgs .Values.proxy.pod.extraArgs }} args: + - --port={{ .Values.proxy.config.listeningPort }} + - --allowed-hosts=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local {{- if .Values.common.extraArgs }} {{- toYaml .Values.common.extraArgs | nindent 10 }} {{- end }} @@ -49,10 +47,6 @@ spec: {{- toYaml .Values.proxy.pod.extraArgs | nindent 10 }} {{- end }} {{- end }} - volumes: - - name: config-volume - configMap: - name: {{ include "liqo.prefixedName" $proxyConfig }} {{- if ((.Values.common).nodeSelector) }} nodeSelector: {{- toYaml .Values.common.nodeSelector | nindent 8 }} diff --git a/pkg/proxy/connect.go b/pkg/proxy/connect.go index 0cbb6aad6b..80af580a61 100644 --- a/pkg/proxy/connect.go +++ b/pkg/proxy/connect.go @@ -2,9 +2,11 @@ package proxy import ( "bufio" + "io" "net" "net/http" "time" + "k8s.io/klog/v2" ) @@ -62,3 +64,9 @@ func (p *Proxy) handleConnect(c net.Conn) { go transfer(destConn, c) go transfer(c, destConn) } + +func transfer(destination io.WriteCloser, source io.ReadCloser) { + defer destination.Close() + defer source.Close() + io.Copy(destination, source) +} diff --git a/pkg/proxy/types.go b/pkg/proxy/types.go index 5e3326bbba..038b1dde5c 100644 --- a/pkg/proxy/types.go +++ b/pkg/proxy/types.go @@ -1,19 +1,23 @@ package proxy import ( + "context" "fmt" - "io" "net" "strings" "k8s.io/klog/v2" + "sigs.k8s.io/controller-runtime/pkg/manager" ) +var _ manager.Runnable = &Proxy{} + type Proxy struct { AllowedHosts []string + Port int } -func New(allowedHosts string) *Proxy { +func New(allowedHosts string, port int) *Proxy { ah := strings.Split(allowedHosts, ",") // remove empty strings for i := 0; i < len(ah); i++ { @@ -25,24 +29,25 @@ func New(allowedHosts string) *Proxy { return &Proxy{ AllowedHosts: ah, + Port: port, } } -func transfer(destination io.WriteCloser, source io.ReadCloser) { - defer destination.Close() - defer source.Close() - io.Copy(destination, source) -} - -func (p *Proxy) SetupProxy(port int) error { - klog.Infof("proxy listening on port %d", port) - listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) +func (p *Proxy) Start(ctx context.Context) error { + klog.Infof("proxy listening on port %d", p.Port) + listener, err := net.Listen("tcp", fmt.Sprintf(":%d", p.Port)) if err != nil { return err } defer listener.Close() for { + select { + case <-ctx.Done(): + return nil + default: + } + conn, err := listener.Accept() if err != nil { klog.Errorf("error accepting connection: %v", err) @@ -59,7 +64,6 @@ func (p *Proxy) isAllowed(host string) bool { } for _, allowedHost := range p.AllowedHosts { - klog.Infof("allowed host: %s", allowedHost) if host == allowedHost { return true } From 7465c0187d81570c2fef5f304f027fa5467311f5 Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Tue, 19 Nov 2024 12:11:21 +0100 Subject: [PATCH 4/8] fixup! fixup! golang http proxy --- deployments/liqo/templates/liqo-proxy-deployment.yaml | 6 +++--- deployments/liqo/values.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deployments/liqo/templates/liqo-proxy-deployment.yaml b/deployments/liqo/templates/liqo-proxy-deployment.yaml index 1ff57d91e2..1a94f46fa5 100644 --- a/deployments/liqo/templates/liqo-proxy-deployment.yaml +++ b/deployments/liqo/templates/liqo-proxy-deployment.yaml @@ -28,7 +28,7 @@ spec: securityContext: {{- include "liqo.podSecurityContext" . | nindent 8 }} containers: - - image: {{ .Values.proxy.image.name }} + - image: {{ .Values.proxy.image.name }}{{ include "liqo.suffix" $proxyConfig }}:{{ include "liqo.version" $proxyConfig }} imagePullPolicy: {{ .Values.pullPolicy }} name: {{ $proxyConfig.name }} securityContext: @@ -36,10 +36,10 @@ spec: ports: - containerPort: {{ .Values.proxy.config.listeningPort }} resources: {{- toYaml .Values.proxy.pod.resources | nindent 12 }} - {{- if or .Values.common.extraArgs .Values.proxy.pod.extraArgs }} args: - --port={{ .Values.proxy.config.listeningPort }} - - --allowed-hosts=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local + - --allowed-hosts=kubernetes:443,kubernetes.default:443,kubernetes.default.svc:443,kubernetes.default.svc.cluster.local:443 + {{- if or .Values.common.extraArgs .Values.proxy.pod.extraArgs }} {{- if .Values.common.extraArgs }} {{- toYaml .Values.common.extraArgs | nindent 10 }} {{- end }} diff --git a/deployments/liqo/values.yaml b/deployments/liqo/values.yaml index c6296c50f5..7058fc0bb0 100644 --- a/deployments/liqo/values.yaml +++ b/deployments/liqo/values.yaml @@ -637,7 +637,7 @@ proxy: priorityClassName: "" image: # -- Image repository for the proxy pod. - name: "thegrandpkizzle/envoy:1.26.1" + name: "ghcr.io/liqotech/proxy" # -- Custom version for the proxy image. If not specified, the global tag is used. version: "" service: From 9c8f2015985aa5b458770ebca62e58462d9ab70c Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Tue, 19 Nov 2024 13:17:07 +0100 Subject: [PATCH 5/8] fixup! fixup! fixup! golang http proxy --- .../liqo/templates/liqo-proxy-deployment.yaml | 1 - pkg/proxy/connect.go | 14 ++++++++++++++ pkg/proxy/types.go | 14 ++++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/deployments/liqo/templates/liqo-proxy-deployment.yaml b/deployments/liqo/templates/liqo-proxy-deployment.yaml index 1a94f46fa5..84f4ab926c 100644 --- a/deployments/liqo/templates/liqo-proxy-deployment.yaml +++ b/deployments/liqo/templates/liqo-proxy-deployment.yaml @@ -38,7 +38,6 @@ spec: resources: {{- toYaml .Values.proxy.pod.resources | nindent 12 }} args: - --port={{ .Values.proxy.config.listeningPort }} - - --allowed-hosts=kubernetes:443,kubernetes.default:443,kubernetes.default.svc:443,kubernetes.default.svc.cluster.local:443 {{- if or .Values.common.extraArgs .Values.proxy.pod.extraArgs }} {{- if .Values.common.extraArgs }} {{- toYaml .Values.common.extraArgs | nindent 10 }} diff --git a/pkg/proxy/connect.go b/pkg/proxy/connect.go index 80af580a61..8d77db5680 100644 --- a/pkg/proxy/connect.go +++ b/pkg/proxy/connect.go @@ -1,3 +1,17 @@ +// Copyright 2019-2024 The Liqo Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package proxy import ( diff --git a/pkg/proxy/types.go b/pkg/proxy/types.go index 038b1dde5c..18c6a6207a 100644 --- a/pkg/proxy/types.go +++ b/pkg/proxy/types.go @@ -1,3 +1,17 @@ +// Copyright 2019-2024 The Liqo Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package proxy import ( From 413a8ac6df687a0f74c1c4f8ce51638b94d052cf Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Tue, 19 Nov 2024 13:17:18 +0100 Subject: [PATCH 6/8] fixup! fixup! fixup! fixup! golang http proxy --- cmd/proxy/main.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go index 7aeafeff71..152bc14c70 100644 --- a/cmd/proxy/main.go +++ b/cmd/proxy/main.go @@ -1,3 +1,17 @@ +// Copyright 2019-2024 The Liqo Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package main import ( @@ -5,8 +19,9 @@ import ( "flag" "os" - "github.com/liqotech/liqo/pkg/proxy" "k8s.io/klog/v2" + + "github.com/liqotech/liqo/pkg/proxy" ) func main() { From 6e5abf40232d4d69108fe170f3b1b5c3112182be Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Tue, 19 Nov 2024 13:23:17 +0100 Subject: [PATCH 7/8] fixup! fixup! fixup! fixup! fixup! golang http proxy --- pkg/utils/network/netmonitor/netmonitor.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/utils/network/netmonitor/netmonitor.go b/pkg/utils/network/netmonitor/netmonitor.go index 5ed0e6f5c8..f447546fa7 100644 --- a/pkg/utils/network/netmonitor/netmonitor.go +++ b/pkg/utils/network/netmonitor/netmonitor.go @@ -131,22 +131,22 @@ func InterfacesMonitoring(ctx context.Context, eventChannel chan event.GenericEv for { select { case updateLink := <-chLink: - klog.Info("Link update received") + klog.V(4).Info("Link update received") if options.Link != nil { handleLinkUpdate(&updateLink, options.Link, interfaces, eventChannel) } case updateAddr := <-chAddr: - klog.Info("Addr update received") + klog.V(4).Info("Addr update received") if options.Addr != nil { handleAddrUpdate(&updateAddr, options.Addr, eventChannel) } case updateRoute := <-chRoute: - klog.Info("Route update received") + klog.V(4).Info("Route update received") if options.Route != nil { handleRouteUpdate(&updateRoute, options.Route, eventChannel) } case updateNft := <-chNft: - klog.Info("Nft update received") + klog.V(4).Info("Nft update received") if updateNft != nil && options.Nftables != nil { handleNftUpdate(updateNft, options.Nftables, eventChannel) } From 99555c6105ba53a0fad42242c28f7b4e5913f346 Mon Sep 17 00:00:00 2001 From: Alessandro Olivero Date: Tue, 19 Nov 2024 13:26:55 +0100 Subject: [PATCH 8/8] fixup! fixup! fixup! fixup! fixup! fixup! golang http proxy --- docs/advanced/k8s-api-server-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advanced/k8s-api-server-proxy.md b/docs/advanced/k8s-api-server-proxy.md index 8524960a8d..288ac29e1c 100644 --- a/docs/advanced/k8s-api-server-proxy.md +++ b/docs/advanced/k8s-api-server-proxy.md @@ -8,7 +8,7 @@ This feature is **internally** used by the [in-band peering](UsagePeeringInBand) If you just need to peer two clusters without publicly exposing the Kubernetes API server, you can use the [in-band peering](UsagePeeringInBand). ``` -The Kubernetes API Server Proxy is an Envoy HTTP server that accepts [HTTP Connect](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT) requests and forwards them to the Kubernetes API Server of the local cluster. +The Kubernetes API Server Proxy is an HTTP server that accepts [HTTP Connect](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT) requests and forwards them to the Kubernetes API Server of the local cluster. It just proxy the requests to the API server and it has no permission on the local cluster. This means that, as usual, all the requesters must authenticate with the Kubernetes API Server to access the resources.