Transparent proxy injection
We can do transparent proxying of requests to linkerd via iptables
rules.
This script injects an initContainer
into the user's k8s config. This
initContainer
sets up iptables
rules for tranparent proxying of requests to a
Daemonset linkerd.
It injects the following initContainer (which you could add to your config
manually if you would rather not use the script). The script uses the
pod.beta.kubernetes.io/init-containers
annotation, which you would need to use
if you are running a version of the Kubernetes Apiserver before 1.6.
initContainers:
- name: init-linkerd
image: linkerd/istio-init:v1
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
args:
- -p
- "4140" # port of the Daemonset linkerd's incoming router
- -s
- "L5D" # linkerd Daemonset service name, uppercased
- -m
- "false" # set to true if running in minikube
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false # set to true for SELinux
It is based on Istio's method of
injecting sidecars.
Ideally this code would go somewhere with the istioctl code, and reuse that code
more directly, but this seems to be in transit right now. This prepare_proxy.sh
sets up iptables rules for transparently proxying requests to a Daemonset linkerd
(rather than a sidecar proxy, which Istio
currently uses).
Usage
Install linkerd-inject
go get github.com/linkerd/linkerd-inject
Inject init container into your yaml and apply.
If you're using minikube, see example/ for minikube instructions.
If you're running in OpenShift (SELinux), you'll need to use -privileged
.
kubectl apply -f <(linkerd-inject -f example/hello-world.yml -linkerdPort 4140)
To see output of script before applying:
linkerd-inject -f example/hello-world.yml -o result.yml -linkerdPort 4140