Transparent proxy injection

We can do transparent proxying of requests to linkerd via iptables rules.

This script injects an initContainer into the user's k8s config. This initContainer sets up iptables rules for tranparent proxying of requests to a Daemonset linkerd.

It injects the following initContainer (which you could add to your config manually if you would rather not use the script). The script uses the pod.beta.kubernetes.io/init-containers annotation, which you would need to use if you are running a version of the Kubernetes Apiserver before 1.6.

initContainers:
- name: init-linkerd
  image: linkerd/istio-init:v1
  env:
  - name: NODE_NAME
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName
  args:
    - -p
    - "4140" # port of the Daemonset linkerd's incoming router
    - -s
    - "L5D" # linkerd Daemonset service name, uppercased
    - -m
    - "false" # set to true if running in minikube
  imagePullPolicy: IfNotPresent
  securityContext:
    capabilities:
      add:
      - NET_ADMIN
    privileged: false # set to true for SELinux

It is based on Istio's method of injecting sidecars. Ideally this code would go somewhere with the istioctl code, and reuse that code more directly, but this seems to be in transit right now. This prepare_proxy.sh sets up iptables rules for transparently proxying requests to a Daemonset linkerd (rather than a sidecar proxy, which Istio currently uses).

Usage

Install linkerd-inject

go get github.com/linkerd/linkerd-inject

Inject init container into your yaml and apply. If you're using minikube, see example/ for minikube instructions. If you're running in OpenShift (SELinux), you'll need to use -privileged.

kubectl apply -f <(linkerd-inject -f example/hello-world.yml -linkerdPort 4140)

To see output of script before applying:

linkerd-inject -f example/hello-world.yml -o result.yml -linkerdPort 4140