Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

injector: allow outbound IP range exclusions #2401

Merged
merged 1 commit into from
Jan 28, 2021
Merged

injector: allow outbound IP range exclusions #2401

merged 1 commit into from
Jan 28, 2021

Conversation

shashankram
Copy link
Member

@shashankram shashankram commented Jan 27, 2021
edited
Loading

Description:
Adds capability in injector to configure global outbound
IP range exclusion list via the osm-config ConfigMap. This
is required in managed environments where certain outbound
traffic (ex. access to node's metadata service, retrieve
AAD access tokens for pods in AKS etc.) needs to bypass the
proxy.

It also updates iptables rules generation for better readability.

A subsequent change will expose configuring this option via
osm cli, document this option, and add validation webhook checks
when ready to use.

Part of #2344

Signed-off-by: Shashank Ram shashr2204@gmail.com

Affected area:

  • New Functionality [ ]
  • Documentation [ ]
  • Install [ ]
  • Control Plane [ ]
  • CLI Tool [ ]
  • Certificate Management [ ]
  • Networking [X]
  • Metrics [ ]
  • SMI Policy [ ]
  • Security [ ]
  • Tests [ ]
  • CI System [ ]
  • Performance [ ]
  • Other [ ]

Please answer the following questions with yes/no.

  • Does this change contain code from or inspired by another project? If so, did you notify the maintainers and provide attribution?
    No

@shashankram shashankram requested a review from a team as a code owner January 27, 2021 22:56
@shashankram shashankram requested a review from draychev January 27, 2021 22:56
@shashankram
injector: allow outbound IP range exclusions
f2b8764 
Adds capability in `injector` to configure global outbound
IP range exclusion list via the osm-config ConfigMap. This
is required in managed environments where certain outbound
traffic (ex. access to node's metadata service, retrieve
AAD access tokens for pods in AKS etc.) needs to bypass the
proxy.

A subsequent change will expose configuring this option via
osm cli, document this option, and add validation webhook checks
when ready to use.

Part of openservicemesh#2344

Signed-off-by: Shashank Ram <shashr2204@gmail.com>
@shashankram shashankram merged commit e5f22ee into openservicemesh:main Jan 28, 2021
@shashankram shashankram deleted the ipexclude-injector branch January 28, 2021 17:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@snehachhabria snehachhabria snehachhabria approved these changes

@draychev draychev draychev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shashankram @draychev @snehachhabria