Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(kumactl): add option to install with experimental transparent proxy #4958

Merged
merged 4 commits into from
Sep 12, 2022
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -668,6 +668,8 @@ experimental:
gatewayAPI: false
# -- If true, it installs experimental new version of the CNI
cni: false
# -- If true, use the new transparent proxy engine
transparentProxy: false
# Configuration for the experimental ebpf mode for transparent proxy
ebpf:
# -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy
Expand Down
1 change: 1 addition & 0 deletions deployments/charts/kuma/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ A Helm chart for the Kuma Control Plane
| hooks.containerSecurityContext | object | `{}` | Security context at the container level for crd/webhook/ns |
| experimental.gatewayAPI | bool | `false` | If true, it installs experimental Gateway API support |
| experimental.cni | bool | `false` | If true, it installs experimental new version of the CNI |
| experimental.transparentProxy | bool | `false` | If true, use the new transparent proxy engine |
| experimental.ebpf.enabled | bool | `false` | If true, ebpf will be used instead of using iptables to install/configure transparent proxy |
| experimental.ebpf.instanceIPEnvVarName | string | `"INSTANCE_IP"` | Name of the environmental variable which will contain the IP address of a pod |
| experimental.ebpf.bpffsPath | string | `"/run/kuma/bpf"` | Path where BPF file system should be mounted |
Expand Down
4 changes: 4 additions & 0 deletions deployments/charts/kuma/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,10 @@ env:
- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
value: "{{ include "kuma.name" . }}-cni"
{{- end }}
{{- if .Values.experimental.transparentProxy }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_V2
value: "true"
{{- end }}
{{- if .Values.experimental.ebpf.enabled }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
value: "true"
Expand Down
2 changes: 2 additions & 0 deletions deployments/charts/kuma/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -668,6 +668,8 @@ experimental:
gatewayAPI: false
# -- If true, it installs experimental new version of the CNI
cni: false
# -- If true, use the new transparent proxy engine
transparentProxy: false
# Configuration for the experimental ebpf mode for transparent proxy
ebpf:
# -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy
Expand Down
1 change: 1 addition & 0 deletions pkg/config/app/kuma-cp/kuma-cp.defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,7 @@ runtime:
enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED
# Redirect port for DNS
port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT
transparentProxyV2: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_V2
# EBPF defines configuration for the ebpf, when transparent proxy is marked to be
# installed using ebpf instead of iptables
ebpf:
Expand Down
3 changes: 3 additions & 0 deletions pkg/config/loader_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ var _ = Describe("Config loader", func() {
Expect(cfg.Runtime.Kubernetes.Injector.SidecarContainer.ReadinessProbe.InitialDelaySeconds).To(Equal(int32(41)))
Expect(cfg.Runtime.Kubernetes.Injector.BuiltinDNS.Enabled).To(Equal(true))
Expect(cfg.Runtime.Kubernetes.Injector.BuiltinDNS.Port).To(Equal(uint32(1053)))
Expect(cfg.Runtime.Kubernetes.Injector.TransparentProxyV2).To(Equal(true))
Expect(cfg.Runtime.Kubernetes.Injector.EBPF.Enabled).To(Equal(true))
Expect(cfg.Runtime.Kubernetes.Injector.EBPF.InstanceIPEnvVarName).To(Equal("FOO"))
Expect(cfg.Runtime.Kubernetes.Injector.EBPF.BPFFSPath).To(Equal("/run/kuma/bar"))
Expand Down Expand Up @@ -400,6 +401,7 @@ runtime:
builtinDNS:
enabled: true
port: 1053
transparentProxyV2: true
ebpf:
enabled: true
instanceIPEnvVarName: FOO
Expand Down Expand Up @@ -590,6 +592,7 @@ proxy:
"KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS": "41",
"KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED": "true",
"KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT": "1053",
"KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_V2": "true",
"KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED": "true",
"KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME": "FOO",
"KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH": "/run/kuma/bar",
Expand Down
3 changes: 3 additions & 0 deletions pkg/config/plugins/runtime/k8s/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ func DefaultKubernetesRuntimeConfig() *KubernetesRuntimeConfig {
Enabled: true,
Port: 15053,
},
TransparentProxyV2: false,
EBPF: EBPF{
Enabled: false,
InstanceIPEnvVarName: "INSTANCE_IP",
Expand Down Expand Up @@ -145,6 +146,8 @@ type Injector struct {
// CaCertFile is CA certificate which will be used to verify a connection to the control plane
CaCertFile string `yaml:"caCertFile" envconfig:"kuma_runtime_kubernetes_injector_ca_cert_file"`
BuiltinDNS BuiltinDNS `yaml:"builtinDNS"`
// TransparentProxyV2 enables the new transparent proxy engine for all workloads
TransparentProxyV2 bool `yaml:"transparentProxyV2" envconfig:"kuma_runtime_kubernetes_injector_transparent_proxy_v2"`
// EBPF is a configuration for ebpf if transparent proxy should be installed
// using ebpf instead of iptables
EBPF EBPF `yaml:"ebpf"`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ injector:
builtinDNS:
enabled: true
port: 15053
transparentProxyV2: false
ebpf:
enabled: false
instanceIPEnvVarName: INSTANCE_IP
Expand Down
2 changes: 1 addition & 1 deletion pkg/plugins/runtime/k8s/webhooks/injector/injector.go
Original file line number Diff line number Diff line change
Expand Up @@ -401,7 +401,7 @@ func (i *KumaInjector) FindServiceAccountToken(podSpec *kube_core.PodSpec) *kube
}

func (i *KumaInjector) NewInitContainer(pod *kube_core.Pod) (kube_core.Container, error) {
podRedirect, err := tp_k8s.NewPodRedirectForPod(pod)
podRedirect, err := tp_k8s.NewPodRedirectForPod(i.cfg.TransparentProxyV2, pod)
if err != nil {
return kube_core.Container{}, err
}
Expand Down
10 changes: 7 additions & 3 deletions pkg/transparentproxy/kubernetes/kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ type PodRedirect struct {
TransparentProxyEbpfProgramsSourcePath string
}

func NewPodRedirectForPod(pod *kube_core.Pod) (*PodRedirect, error) {
func NewPodRedirectForPod(transparentProxyV2 bool, pod *kube_core.Pod) (*PodRedirect, error) {
var err error
podRedirect := &PodRedirect{}

Expand Down Expand Up @@ -87,9 +87,13 @@ func NewPodRedirectForPod(pod *kube_core.Pod) (*PodRedirect, error) {

podRedirect.UID, _ = metadata.Annotations(pod.Annotations).GetString(metadata.KumaSidecarUID)

podRedirect.ExperimentalTransparentProxyEngine, _, err = metadata.Annotations(pod.Annotations).GetEnabled(metadata.KumaTransparentProxyingExperimentalEngine)
if err != nil {
if transparentProxyV2 {
podRedirect.ExperimentalTransparentProxyEngine = true
}
if transparentProxyV2, exists, err := metadata.Annotations(pod.Annotations).GetEnabled(metadata.KumaTransparentProxyingExperimentalEngine); err != nil {
return nil, err
} else if exists {
podRedirect.ExperimentalTransparentProxyEngine = transparentProxyV2
}
michaelbeaumont marked this conversation as resolved.
Show resolved Hide resolved

if value, exists, err := metadata.Annotations(pod.Annotations).GetEnabled(metadata.KumaTransparentProxyingEbpf); err != nil {
Expand Down
73 changes: 67 additions & 6 deletions pkg/transparentproxy/kubernetes/kubernetes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,13 @@ import (

var _ = Describe("kubernetes", func() {
type testCaseKumactl struct {
pod *kube_core.Pod
commandLine []string
transparentProxyV2 bool
pod *kube_core.Pod
commandLine []string
}

DescribeTable("should generate kumactl command line", func(given testCaseKumactl) {
podRedirect, err := kubernetes.NewPodRedirectForPod(given.pod)
podRedirect, err := kubernetes.NewPodRedirectForPod(given.transparentProxyV2, given.pod)
Expect(err).ToNot(HaveOccurred())

commandLine := podRedirect.AsKumactlCommandLine()
Expand Down Expand Up @@ -151,6 +152,33 @@ var _ = Describe("kubernetes", func() {
"--experimental-transparent-proxy-engine",
},
}),
Entry("should generate experimental engine if enabled even without annotation", testCaseKumactl{
transparentProxyV2: true,
pod: &kube_core.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
metadata.KumaTrafficExcludeOutboundPorts: "11000",
metadata.KumaTransparentProxyingOutboundPortAnnotation: "25100",
metadata.KumaTrafficExcludeInboundPorts: "12000",
metadata.KumaTransparentProxyingInboundPortAnnotation: "25204",
metadata.KumaTransparentProxyingInboundPortAnnotationV6: "25206",
metadata.KumaSidecarUID: "12345",
},
},
},
commandLine: []string{
"--redirect-outbound-port", "25100",
"--redirect-inbound=" + "true",
"--redirect-inbound-port", "25204",
"--redirect-inbound-port-v6", "25206",
"--kuma-dp-uid", "12345",
"--exclude-inbound-ports", "12000",
"--exclude-outbound-ports", "11000",
"--verbose",
"--skip-resolv-conf",
"--experimental-transparent-proxy-engine",
},
}),
Entry("should generate for Gateway", testCaseKumactl{
pod: &kube_core.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -222,12 +250,13 @@ var _ = Describe("kubernetes", func() {
)

type testCaseTransparentProxyConfig struct {
pod *kube_core.Pod
tpConfig *config.TransparentProxyConfig
transparentProxyV2 bool
pod *kube_core.Pod
tpConfig *config.TransparentProxyConfig
}

DescribeTable("should generate transparent proxy config", func(given testCaseTransparentProxyConfig) {
podRedirect, err := kubernetes.NewPodRedirectForPod(given.pod)
podRedirect, err := kubernetes.NewPodRedirectForPod(given.transparentProxyV2, given.pod)
Expect(err).ToNot(HaveOccurred())

tpConfig := podRedirect.AsTransparentProxyConfig()
Expand Down Expand Up @@ -297,6 +326,38 @@ var _ = Describe("kubernetes", func() {
ExperimentalEngine: true,
},
}),
Entry("should generate experimental engine if enabled even without annotation", testCaseTransparentProxyConfig{
transparentProxyV2: true,
pod: &kube_core.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
metadata.KumaTrafficExcludeOutboundPorts: "11000",
metadata.KumaTransparentProxyingOutboundPortAnnotation: "25100",
metadata.KumaTrafficExcludeInboundPorts: "12000",
metadata.KumaTransparentProxyingInboundPortAnnotation: "25204",
metadata.KumaTransparentProxyingInboundPortAnnotationV6: "25206",
metadata.KumaSidecarUID: "12345",
},
},
},
tpConfig: &config.TransparentProxyConfig{
DryRun: false,
Verbose: true,
RedirectPortOutBound: "25100",
RedirectInBound: true,
RedirectPortInBound: "25204",
RedirectPortInBoundV6: "25206",
ExcludeInboundPorts: "12000",
ExcludeOutboundPorts: "11000",
UID: "12345",
GID: "12345",
RedirectDNS: false,
RedirectAllDNSTraffic: false,
AgentDNSListenerPort: "0",
DNSUpstreamTargetChain: "",
ExperimentalEngine: true,
},
}),
Entry("should generate no builtin DNS", testCaseTransparentProxyConfig{
pod: &kube_core.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand Down