vcluster icon indicating copy to clipboard operation
vcluster copied to clipboard
verified publisher icon loft-sh

Allow accessing host services in vcluster without cluster role

Open sandangel opened this issue 2 years ago • 4 comments

Is your feature request related to a problem?

  • ~Cluster role is required for service mapping from host namespce to vcluster, even with the service inside the same namespace with vcluster.~
  • We want to connect from vcluster to host services without specific cluster wide permission

Which solution do you suggest?

  • ~Allow using Role instead of cluster role to map service in host namespace where vcluster is installed.~
  • Allow adding pod annotation, so the pod will use host cluster nameserver instead of vcluster coredns.

Which alternative solutions exist?

  • ~Alternatively, I think we can configure coredns to resolve dns request directly, or forward it to the host cluster dns server. This might replace the approach of current service mapping.~
  • Add static host cluster nameserver to the pod dnsConfig works

Additional context

pods in vcluster can not access istio mesh on host

  • vcluster pods have istio-proxy sidecar injected by host istio
  • ~Vcluster translate the address of service in the mesh to IP address when pod try to looks for~
  • vcluster use its own coredns for DNS queries so the istio-proxy sidecar can not connect to the host cluster istiod to get certificate.
  • ~pods on vcluster can not connect to that service because the traffic should be routed through the sidecar istio-proxy~
  • pods failed to receive/initiate tcp/http requests because traffic is intercepted by istio-proxy which is failing.

sandangel avatar Mar 07 '23 23:03 sandangel

Hi @sandangel , Thanks for creating the issue!! Will check this and let you know shortly.

neogopher avatar Mar 08 '23 11:03 neogopher

Hi @sandangel ,

mapServices provides the capability to create a mapping between a service residing in any namespace on the host cluster to a given service and namespace in the vcluster. For this usecase, a cluster role is employed, though as you said a role would suffice if the service resides in the vcluster namespace. However, the clusterrole contains access rules for some other resources as required like nodes, pods etc, so the cluster role is going to be created for that purpose.

Also, with the alternate solution i.e forwarding the DNS queries to the host dns, do you mean that first the vcluster coredns be queried and if its not found there the request is to be sent to the host dns server?

neogopher avatar Mar 08 '23 16:03 neogopher

Also, with the alternate solution i.e forwarding the DNS queries to the host dns, do you mean that first the vcluster coredns be queried and if its not found there the request is to be sent to the host dns server?

that is correct.

sandangel avatar Mar 08 '23 17:03 sandangel

Finally I was able to connect to host istio service mesh using the static host nameserver IP in dnsConfig. I think the use case is valid because we start increasing adoption in the company from a few namespaces. The workloads from that namespace still need to connect to other workloads in other team's namespaces inside the host service mesh.

Vcluster can already do that but user need to find the static ip of cluster nameserver and explicitly set it to specific pod. We can just make it more convenient to user by using an annotation to a pod that user want to use host dns. WDYT?

sandangel avatar Mar 11 '23 09:03 sandangel