Use netlink interface directly (distroless) #136
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
do-not-merge/work-in-progress
I don't think there are any arguments for porting kube-network-policies to use netlink that wouldn't also apply to kube-proxy, so if you are thinking it makes sense to switch kube-network-policies over then we should document why and then move kube-proxy over too. |
I've been playing a lot with the netlink nftables interfaces these christmas and the API seems more solid, but the ecosystem is very small and very low level and you have to go directly to the source code a lot of times and to the wire representation mdlayher/netlink#219 ... kube-network-policies does not require much work, just 1 Sets and ~ 4 rules per ip family, and then adding and removing elements from sets, it is unlikely this project will require to add any new rules in the future I think that we need just this to answer the question if is worthy it, that is why we put these projects in kubernetes-sigs to explore and provide feedback ... if does not work we can just revert back |
FWIW I've been thinking about the possibility of a v2 json API for |
aojea
force-pushed
the
nftables_netlink
branch
from
7fcb127 to
b2b204b
Compare
k8s-ci-robot
added
size/XL
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
aojea
force-pushed
the
nftables_netlink
branch
from
b2b204b to
0400b94
Compare
kube-network-policies only need a specific set of nftables rules to be present to filter the undesired traffic and enqueue the traffic subject to inspection to userspace. There is an optimization using sets to avoid diverting the traffic that are not subject to policies to avoid the penalty of userspace, but besides that there is no plans to require more interaction with netfilter. Using the netfilter interface with nftables is complex and very low level, but since the netfilter interaction should not change much in the foreseeble future, the removal of the dependency on the userspace tools bring a big advantage in term of image size 72MB vs 92MB as today, and n the maintanance of the image, since we only need to maintain the golang binary.
aojea
force-pushed
the
nftables_netlink
branch
from
0400b94 to
8811249
Compare
nftables' virtual machine (VM) is incredibly flexible, allowing for a nice number of packet processing operations. I love that I do not need to understand the skbuff struct to do "things" with the packets. However, this flexibility has a ton of complexity and I can't say how to better model it:
I'm looking forward to your new API, IMHO for a new nftables API, the real challenge is on how to expose those powerful network operations in a programmer-friendly way, JSON is just the surface layer; the real issue to me is about the abstractions and programmability. |
aojea
changed the title
This removes the dependency on the
nftlibraries reducing size and exposure to vulnerabilities and user space changes, netlink API seems to be more stable https://docs.kernel.org/networking/netlink_spec/nftables.html and I will add more test to ensure the user space representation does not drift google/nftables#292