gateway icon indicating copy to clipboard operation
gateway copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Don't switch container port

Open zvlb opened this issue 1 year ago • 5 comments

I continue to work on the possibility of using Envoy Gateway on bare metal installations of Kubernetes. In my case, services with the LoadBalancer type are not available in the cluster, so I need to launch containers on the required ports (which are specified in the CR Gateway) without executing logic in the servicePortToContainerPort function.

At the moment, I see two solutions:

  1. Add a flag to Envoy that disables the need to execute servicePortToContainerPort. I'm not very fond of this option because if I need multiple Gateways, not all of which should have CAP_NET_BIND_SERVICE, there will be problems.
  2. Add a field to EnvoyProxy that will control this behavior.

Do you have any other suggestions? I can implement the agreed functionality.

zvlb avatar Apr 20 '24 18:04 zvlb

relates to https://github.com/envoyproxy/gateway/pull/2405 @Xunzhuo is a knob to opt out of this translation the only option ?

arkodg avatar Apr 23 '24 01:04 arkodg

In some scenarios, we actually do need to use the listener port as the container port, we can add a field to control this behavior.

Xunzhuo avatar Apr 23 '24 02:04 Xunzhuo

@arkodg I'm not sure aboute this PR.

My not-so-authoritative opinion:

  1. It seems to me it would be better to move the UseListenerPortAsContainerPort field from KubernetesServiceSpec to EnvoyProxyKubernetesProvider, as changing this parameter affects both how the pod and service are configured, not just the service alone. (In the future, I want to add a disable flag in KubernetesServiceSpec to avoid deploying the service. However, ports for pods should be specified without mutation. So, the working configuration would look like this:
...
  envoyService:
    disable: true
    useListenerPortAsContainerPort: true

Which looks strange to me)

  1. This PR blocks the ability to use ports lower than 1024. However, in my case, I need to use ports 80 and 443. Perhaps someone else may need to use different ports.

zvlb avatar Apr 29 '24 09:04 zvlb

If someone can create name for this options in field EnvoyProxyKubernetesProvider I can start to implement it)

zvlb avatar Apr 29 '24 15:04 zvlb

@zvlb would be great if you can take #2405 forward (as a new PR) some open questions are

arkodg avatar May 01 '24 19:05 arkodg

fixed with https://github.com/envoyproxy/gateway/pull/3333

arkodg avatar May 20 '24 16:05 arkodg