This repository has been archived by the owner on Jul 11, 2023. It is now read-only.
injector: Allow for customizations of iptables config based on OSM Controller observed context #2344
Comments
|
related issue: #1670 |
|
I'll look into this, should be straightforward. |
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 27, 2021
Adds capability in `injector` to configure global outbound IP range exclusion list via the osm-config ConfigMap. This is required in managed environments where certain outbound traffic (ex. access to node's metadata service, retrieve AAD access tokens for pods in AKS etc.). A subsequent change will expose configuring this option via osm cli. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 27, 2021
Adds capability in `injector` to configure global outbound IP range exclusion list via the osm-config ConfigMap. This is required in managed environments where certain outbound traffic (ex. access to node's metadata service, retrieve AAD access tokens for pods in AKS etc.). A subsequent change will expose configuring this option via osm cli, document this option, and add validation webhook checks when ready to use. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 27, 2021
Adds capability in `injector` to configure global outbound IP range exclusion list via the osm-config ConfigMap. This is required in managed environments where certain outbound traffic (ex. access to node's metadata service, retrieve AAD access tokens for pods in AKS etc.) needs to bypass the proxy. A subsequent change will expose configuring this option via osm cli, document this option, and add validation webhook checks when ready to use. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 28, 2021
Adds checks in the validating webhook to ensure the value for the `outbound_ip_range_exclusion_list` field is as expected. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Jan 28, 2021
osm-config configMap allows specifying the outbound IP
ranges to exclude from sidecar interception. Allow
users to set this at install time.
This can be set via the Helm chart directly or by
using the `--set` option with the osm install command.
```
osm install \
--set="OpenServiceMesh.outboundIPRangeExclusionList={1.1.1.1/32,2.2.2.2/24}"
```
Part of openservicemesh#2344
Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shashankram
added a commit
to shashankram/osm
that referenced
this issue
Feb 1, 2021
Adds an e2e test to verify the IP range exclusion feature. Iptable exclusion rules are programmed so that a client can reach a server without sidecar proxy redirection. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
snehachhabria
pushed a commit
to snehachhabria/osm
that referenced
this issue
Feb 1, 2021
Adds an e2e test to verify the IP range exclusion feature. Iptable exclusion rules are programmed so that a client can reach a server without sidecar proxy redirection. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
snehachhabria
pushed a commit
to snehachhabria/osm
that referenced
this issue
Feb 1, 2021
Adds an e2e test to verify the IP range exclusion feature. Iptable exclusion rules are programmed so that a client can reach a server without sidecar proxy redirection. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shalier
pushed a commit
to shalier/osm
that referenced
this issue
Feb 2, 2021
Adds an e2e test to verify the IP range exclusion feature. Iptable exclusion rules are programmed so that a client can reach a server without sidecar proxy redirection. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shalier
pushed a commit
to shalier/osm
that referenced
this issue
Feb 2, 2021
Adds an e2e test to verify the IP range exclusion feature. Iptable exclusion rules are programmed so that a client can reach a server without sidecar proxy redirection. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
shalier
pushed a commit
to shalier/osm
that referenced
this issue
Feb 4, 2021
Adds an e2e test to verify the IP range exclusion feature. Iptable exclusion rules are programmed so that a client can reach a server without sidecar proxy redirection. Part of openservicemesh#2344 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
With GitHub Issue #2243 we are going to make iptables config from a static bash script to dynamicly generated in Go.
This task is to take this a step further and provide a way for specific traffic to bypass Envoy proxy.
For instance certain kinds of payload may need to access local node's metadata service. In these Kubernetes configurations, we need to configure OSM so that this kind of traffic is allowed / unaffected through Envoy. This could be done via the OSM ConfigMap, command line arguments, CRD etc.
The text was updated successfully, but these errors were encountered: