Skip to content
This repository has been archived by the owner on Mar 5, 2024. It is now read-only.

Commit

Permalink
Supports use of ! prefix for interface name (#54)
Browse files Browse the repository at this point in the history
There are some CNI implementations that make use of multiple
Elastic Network Interfaces and secondary IPs to assign pods ips
directly from the VPC ranges. For example:

    https://github.com/aws/amazon-vpc-cni-k8s
    https://github.com/lyft/cni-ipvlan-vpc-k8s

For kiam to function correctly, it is necessary to have an iptables
rule that applies to all of the interfaces that pod traffic may come
from. And since these interfaces may be added and removed on demand,
it is necessary to have DNAT rules that will continue to work as
interfaces come and go.

iptables supports inverted matching for interface names which can be
useful to include all but certain interfaces in rules. For example:

    iptables --append PREROUTING --protocol tcp \
      --destination 169.254.169.254 --dport 80  \
      \! -i loopback   --jump DNAT  --table nat \
      --to-destination 10.100.100.3:8181

will apply the DNAT rule to all interfaces except the loopback.

This change puts the "!" for inverting the interface before the name
of the interface in the rules spec that inverted rules work as
intended.
  • Loading branch information
chris-h-phillips authored and pingles committed Apr 28, 2018
1 parent cca30c4 commit 0b59cda
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 3 deletions.
10 changes: 9 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,15 @@ Please also make note of how to configure IAM in your AWS account; notes in [doc
Kiam is split into two processes that run independently.

### Agent
This is the process that would typically be deployed as a DaemonSet to ensure that Pods have no access to the AWS Metadata API. Instead, the agent runs an HTTP proxy which intercepts credentials requests and passes on anything else.
This is the process that would typically be deployed as a DaemonSet to ensure that Pods have no access to the AWS Metadata API. Instead, the agent runs an HTTP proxy which intercepts credentials requests and passes on anything else. An DNAT iptables [rule](cmd/agent/iptables.go) is required to intercept the traffic. The agent is capable of adding and removing the required rule for you through use of the `--iptables` [flag](cmd/agent/main.go). This is the name of the interface where pod traffic originates and it is different for the various CNI implementations. The flag also supports the `!` prefix for inverted matches should you need to match all but one interface.

##### Typical CNI Interface Names #####

| CNI | Interface | Notes |
|-----|-----------|-------|
| [cni-ipvlan-vpc-k8s](https://github.com/lyft/cni-ipvlan-vpc-k8s) | `!eth0` | This CNI plugin attaches multiple ENIs to the instance. Typically eth1-ethN (N depends on the instance type) are used for pods which leaves eth0 for the kubernetes control plane. The ! prefix on the interface name inverts the match so metadata service traffic from all interfaces except eth0 will be sent to the kiam agent. |
| [weave](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/) | `weave` | |


### Server
This process is responsible for connecting to the Kubernetes API Servers to watch Pods and communicating with AWS STS to request credentials. It also maintains a cache of credentials for roles currently in use by running pods- ensuring that credentials are refreshed every few minutes and stored in advance of Pods needing them.
Expand Down
10 changes: 8 additions & 2 deletions cmd/agent/iptables.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package main
import (
"fmt"
"github.com/coreos/go-iptables/iptables"
"strings"
)

type rules struct {
Expand All @@ -42,14 +43,19 @@ func (r *rules) Add() error {
}

func (r *rules) ruleSpec() []string {
return []string{
rules := []string{
"-p", "tcp",
"-d", metadataAddress,
"--dport", "80",
"-j", "DNAT",
"--to-destination", r.kiamAddress(),
"-i", r.hostInterface,
}
if strings.HasPrefix(r.hostInterface, "!") {
rules = append(rules, "!")
}
rules = append(rules, "-i", strings.TrimPrefix(r.hostInterface, "!"))

return rules
}

func (r *rules) Remove() error {
Expand Down

0 comments on commit 0b59cda

Please sign in to comment.