linkerd-inject icon indicating copy to clipboard operation
linkerd-inject copied to clipboard
verified publisher icon linkerd

Need to add to PREROUTING chain?

Open luhkevin opened this issue 8 years ago • 4 comments

I was looking at this project and had a question. In prepare_proxy.sh, don't we need to add a rule to the PREROUTING chain as well, in order to handle requests originating from a docker container?

Referring to https://github.com/fabric8io/docker-iptables-redirector/pull/1:

(2) Adding rules to not only OUTPUT chain but also PREROUTING chain. Rules in OUTPUT chain seems to redirect traffic from host but not from containers. If you want to redirect traffic from containers (which I assume is a pretty common use-case) we need to add rules to PREROUTING, too. See jtblin/aws-mock-metadata#5

(which in turn refers to https://github.com/jtblin/aws-mock-metadata/pull/5)

luhkevin avatar Sep 01 '17 22:09 luhkevin

Hey guys, any updates on this?

luhkevin avatar Sep 12 '17 17:09 luhkevin

Hey @luhkevin, the current prepare_proxy.sh assumes you're running linkerd as a daemonset in k8s, and in that setup we only care about routing outgoing traffic through linkerd (which will then take care of routing the request through a linkerd on the destination host). So in that situation I think we only need rules on the OUTPUT chain. For traffic within the pod, we don't redirect it to linkerd. (Let me know if I misunderstood your question!)

rmars avatar Sep 12 '17 18:09 rmars

Hmm, maybe I'm misunderstanding something, but

routing outgoing traffic through linkerd

does include traffic that originates from non-host mode docker containers in the GKE cluster, correct?

My observations were more that any traffic originating from docker containers running in non-host networking mode wasn't even hitting the OUTPUT chain, but they do hit the PREROUTING chain. The github link above also corroborates what I was seeing.

I was just testing on plain k8s clusters spun up with GKE, so I'm not referring to intra-pod traffic per se.

luhkevin avatar Sep 12 '17 18:09 luhkevin

does include traffic that originates from non-host mode docker containers in the GKE cluster, correct? yeah.

hmmmm, so if I understand, for a plain k8s cluster, with hostNetwork: false (the default), the things in /example don't work? (I tried deploying the example on plain k8s with GKE, no hostNetwork and it seems to work, i.e. the hello services can reach the world services via linkerd - or, I may still be misunderstanding the question)

Maybe we can move this conversation to https://discourse.linkerd.io/ or https://slack.linkerd.io/ and figure this out!

rmars avatar Sep 16 '17 00:09 rmars