Change traffic-agent's target port to podIP instead of localhost. #3675
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Routing traffic to localhost will effectively bypass any injected sidecar that modifies the iptables for incoming traffic. This commit mitigates that problem by routing to the pod-IP instead. The fix currently applies when the intercepted service's `targetPort` is symbolic. More work is needed in our init-container to also enable this for numeric ports. Signed-off-by: Thomas Hallgren <[email protected]>
Signed-off-by: Thomas Hallgren <[email protected]>
So that the echo-server can listen to the IP of the host rather than just localhost. Signed-off-by: Thomas Hallgren <[email protected]>
Signed-off-by: Thomas Hallgren <[email protected]>
Signed-off-by: Thomas Hallgren <[email protected]>
Using the IP of the pod means that an application now has a choice to either bind to that IP or to localhost. Internally, it also meant that we could implement a safer routing from the traffic-agent to the app- container when numeric ports were used. In detail, there's a huge difference between requests that the traffic- agent performs on behalf of a client that wants to connect to the app, and the forwarding it does to the app during times when no intercepts are active. The former must be routed back to the agent, so that potential intercepts are served correctly, whereas the latter must not be routed back, because that would result in an endless loop. Closes #3473 Signed-off-by: Thomas Hallgren <[email protected]>
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using the IP of the pod means that an application now has a choice to
either bind to that IP or to localhost. Internally, it also meant that
we could implement a safer routing from the traffic-agent to the app-
container when numeric ports were used.
In detail, there's a huge difference between requests that the traffic-
agent performs on behalf of a client that wants to connect to the app,
and the forwarding it does to the app during times when no intercepts
are active. The former must be routed back to the agent, so that
potential intercepts are served correctly, whereas the latter must not
be routed back, because that would result in an endless loop.