This repository has been archived by the owner on Jul 11, 2023. It is now read-only.
injector: Generate init/init-iptables.sh dynamically from Go code and constants #2243
Assignees
Comments
|
Whoever, takes this up, it would be great if they could also address #2106 when writing the docs for this PR |
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 21, 2021
This change generates the iptables commands within osm-controller instead of running it as a script. The benefit in doing so is that the controller can programmatically tweak iptables at the time of sidecar injection, ex. to disable proxy admin port access. Additionally, it prevents potential bugs due to code duplication of port numbers used in iptable rules and within the controller. Part of openservicemesh#2243 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 21, 2021
This change generates the iptables commands within osm-controller instead of running it as a script. The benefit in doing so is that the controller can programmatically tweak iptables at the time of sidecar injection, ex. to disable proxy admin port access, or exclude certain control plane traffic from being intercepted in managed environments. Additionally, it prevents potential bugs due to code duplication of port numbers used in iptable rules and within the controller. Part of openservicemesh#2243 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 21, 2021
This change generates the iptables commands within osm-controller instead of running it as a script. The benefit in doing so is that the controller can programmatically tweak iptables at the time of sidecar injection, ex. to disable proxy admin port access, or exclude certain control plane traffic from being intercepted in managed environments. Additionally, it prevents potential bugs due to code duplication of port numbers used in iptable rules and within the controller. Part of openservicemesh#2243 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
that referenced
this issue
Jan 21, 2021
…#2343) This change generates the iptables commands within osm-controller instead of running it as a script. The benefit in doing so is that the controller can programmatically tweak iptables at the time of sidecar injection, ex. to disable proxy admin port access, or exclude certain control plane traffic from being intercepted in managed environments. Additionally, it prevents potential bugs due to code duplication of port numbers used in iptable rules and within the controller. Part of #2243 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
|
Fixed by #2343 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The init container executes the
init/init-iptables.shscript which is a static bash script. The bash script contains constants that are duplicated in Go code. A mismatch between these constants (port numbers) would cause breakage. These constants are currently synced manually. To prevent issues arising from inconsistencies between the bash and Go code - we should dynamically generate theinit/init-iptables.shfile.For example:
EnvoyAdminPortconstant: https://github.com/openservicemesh/osm/blob/release-v0.6/pkg/constants/constants.go#L13We can delete
init-iptables.shfrom the repo and generate it on the fly from the already defined constants such asEnvoyAdminPortSub-task
Skip irrelevant iptables commands when certain features are not configured for the given instance of OSM. For example a customer may decide to disable Admin port: https://github.com/openservicemesh/osm/blob/release-v0.6/init/init-iptables.sh#L5
Scope (please mark with X where applicable)
Possible use cases
The text was updated successfully, but these errors were encountered: