apiserver-network-proxy
apiserver-network-proxy copied to clipboard
Implement a local/non agent option for the proxy server.
Currently the proxy-server attempts for forward all connection requests from the client to the proxy-agent. It would be useful to allow the proxy server to have a setting where it put the traffic on a local ethernet connection directly. This would allow us to firewall of the KAS so it could ONLY connect to the proxy-server(s). Then the relevant proxy-server could place traffic locally for things like connecting to the ETCD server.
I'll work on this issue assuming no one else has started.
To summarize a conversation with @cheftako offline, the current thinking is that the proxy-server either operates in a forwarding mode where all connection requests go to the proxy agent or in a local mode where everything is placed on a local interface, meaning that in the above example a separate proxy server would be used for etcd traffic. @cheftako Am I representing your thoughts correctly?
The idea behind that is that the KAS can NetworkContext routing can send traffic to different network proxy servers. So you can run 1 proxy server for local (eg. master + etcd) traffic and a second proxy server for cluster traffic.
/help-wanted
/help wanted
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
/remove-lifecycle stale
/lifecycle frozen