Allow customisation of sleeperImage in --replace mode for compliance with cluster restrictions
#3758
Comments
|
@kbatalin I'm considering a solution where there would be no replacement container at all. Instead, the traffic-agent would serve as the replacement. The traffic-agent would then listen and forward all ports that the replaced container was listening to to the local process. Would such a solution work for your use-case? |
|
@thallgren If I understand correctly, in this proposed solution, the original container would be completely replaced by the traffic-agent, and no background processes from the original container would remain active. Is that correct? If so, this approach might work for my use case, as the key requirement is to stop any background tasks or processes from the original container while testing or developing locally. |
There's no need to have a dormant container because the traffic-agent can serve as the replacement itself. That way, there's no need to redirect ports either, which means that there's no need to rename ports or use an init-container. An annotation is added to the pod to cater for when multiple injections happen due to replace-policy, so that injections that follow the one when an app-container is removed can reproduce the traffic-agent container, taking its ports, mounts, and environment into account. Closes #3758 Signed-off-by: Thomas Hallgren <thomas@tada.se>
There's no need to have a dormant container because the traffic-agent can serve as the replacement itself. That way, there's no need to redirect ports either, which means that there's no need to rename ports or use an init-container. An annotation is added to the pod to cater for when multiple injections happen due to replace-policy, so that injections that follow the one when an app-container is removed can reproduce the traffic-agent container, taking its ports, mounts, and environment into account. Closes #3758 Signed-off-by: Thomas Hallgren <thomas@tada.se>
Please describe your use case / problem.
When using Telepresence in
--replacemode to intercept a deployment, the service container is replaced with a "sleeperImage" (currently hardcoded toalpine:latest). However, in my environment, I face restrictions on the Docker registries and versions of images allowed in the cluster. This hardcoding prevents me from using Telepresence effectively in--replacemode due to compliance and compatibility constraints.I need the
--replacemode specifically for services that run background tasks, as the ordinary interception via sidecar only redirects traffic to the local process but does not handle the original container's background jobs, which continue working. While sidecar-based interception is fast and sufficient for most use cases, it is inadequate for scenarios involving tasks such as batch processing or scheduled jobs.Describe the solution you'd like
I would like the ability to override the sleeperImage (including the image registry and tag) used in
--replacemode. This could be implemented in a way that allows flexibility, such as:Either option would work, though the former might be better for environments with stricter cluster-wide policies.
Describe alternatives you've considered
Manually stopping the original container before each interception.
While this could stop the background processes temporarily, it introduces challenges with liveness probes configured on the deployment, which may trigger pod restarts or other issues.
Versions (please complete the following information)
telepresence version:all versions
Additional context
This feature would significantly enhance Telepresence's usability for services with background tasks and in restricted environments. Example of the command:
telepresence intercept <name> --port <ports> --env-file <env-file> --replaceThe text was updated successfully, but these errors were encountered: