Implement traffic redirection exclusion based on proxy config and user-provided values #10134
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| ```release-note:feature | ||
| cli: Add additional flags to the `consul connect redirect-traffic` command to allow excluding inbound and outbound ports, | ||
| outbound CIDRs, and additional user IDs from traffic redirection. | ||
| ``` | ||
| ```release-note:feature | ||
| cli: Automatically exclude ports from `envoy_prometheus_bind_addr`, `envoy_stats_bind_addr`, and `ListenerPort` from `Expose` config | ||
| from inbound traffic redirection rules if `proxy-id` flag is provided to the `consul connect redirect-traffic` command. | ||
| ``` | ||
| ```release-note:feature | ||
| sdk: Allow excluding inbound and outbound ports, outbound CIDRs, and additional user IDs from traffic redirection in the `iptables` package. | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,6 +3,8 @@ package redirecttraffic | |
| import ( | ||
| "flag" | ||
| "fmt" | ||
| "net" | ||
| "strconv" | ||
|
|
||
| "github.com/hashicorp/consul/api" | ||
| "github.com/hashicorp/consul/command/flags" | ||
|
|
@@ -34,10 +36,14 @@ type cmd struct { | |
| client *api.Client | ||
|
|
||
| // Flags. | ||
| proxyUID string | ||
| proxyID string | ||
| proxyInboundPort int | ||
| proxyOutboundPort int | ||
| excludeInboundPorts []string | ||
| excludeOutboundPorts []string | ||
| excludeOutboundCIDRs []string | ||
| excludeUIDs []string | ||
| } | ||
|
|
||
| func (c *cmd) init() { | ||
|
|
@@ -48,6 +54,14 @@ func (c *cmd) init() { | |
| c.flags.IntVar(&c.proxyInboundPort, "proxy-inbound-port", 0, "The inbound port that the proxy is listening on.") | ||
| c.flags.IntVar(&c.proxyOutboundPort, "proxy-outbound-port", iptables.DefaultTProxyOutboundPort, | ||
| "The outbound port that the proxy is listening on. When not provided, 15001 is used by default.") | ||
| c.flags.Var((*flags.AppendSliceValue)(&c.excludeInboundPorts), "exclude-inbound-port", | ||
| "Inbound port to exclude from traffic redirection. May be provided multiple times.") | ||
| c.flags.Var((*flags.AppendSliceValue)(&c.excludeOutboundPorts), "exclude-outbound-port", | ||
| "Outbound port to exclude from traffic redirection. May be provided multiple times.") | ||
| c.flags.Var((*flags.AppendSliceValue)(&c.excludeOutboundCIDRs), "exclude-outbound-cidr", | ||
| "Outbound CIDR to exclude from traffic redirection. May be provided multiple times.") | ||
| c.flags.Var((*flags.AppendSliceValue)(&c.excludeUIDs), "exclude-uid", | ||
| "Additional user ID to exclude from traffic redirection. May be provided multiple times.") | ||
|
|
||
| c.http = &flags.HTTPFlags{} | ||
| flags.Merge(c.flags, c.http.ClientFlags()) | ||
|
|
@@ -105,12 +119,18 @@ func (c *cmd) Help() string { | |
| // with only the configuration values that we need to parse from Proxy.Config | ||
| // to apply traffic redirection rules. | ||
| type trafficRedirectProxyConfig struct { | ||
| BindPort int `mapstructure:"bind_port"` | ||
| PrometheusBindAddr string `mapstructure:"envoy_prometheus_bind_addr"` | ||
| StatsBindAddr string `mapstructure:"envoy_stats_bind_addr"` | ||
| } | ||
|
|
||
| // generateConfigFromFlags generates iptables.Config based on command flags. | ||
| func (c *cmd) generateConfigFromFlags() (iptables.Config, error) { | ||
| cfg := iptables.Config{ | ||
| ProxyUserID: c.proxyUID, | ||
| ProxyInboundPort: c.proxyInboundPort, | ||
| ProxyOutboundPort: c.proxyOutboundPort, | ||
| } | ||
|
|
||
| // When proxyID is provided, we set up cfg with values | ||
| // from proxy's service registration in Consul. | ||
|
|
@@ -132,21 +152,67 @@ func (c *cmd) generateConfigFromFlags() (iptables.Config, error) { | |
| return iptables.Config{}, fmt.Errorf("service %s is not a proxy service", c.proxyID) | ||
| } | ||
|
|
||
| // Decode proxy's opaque config so that we can use it later to configure | ||
| // traffic redirection with iptables. | ||
| var trCfg trafficRedirectProxyConfig | ||
| if err := mapstructure.WeakDecode(svc.Proxy.Config, &trCfg); err != nil { | ||
| return iptables.Config{}, fmt.Errorf("failed parsing Proxy.Config: %s", err) | ||
| } | ||
|
|
||
| // Set the proxy's inbound port. | ||
| cfg.ProxyInboundPort = svc.Port | ||
| if trCfg.BindPort != 0 { | ||
| cfg.ProxyInboundPort = trCfg.BindPort | ||
| } | ||
|
|
||
| // Set the proxy's outbound port. | ||
| cfg.ProxyOutboundPort = iptables.DefaultTProxyOutboundPort | ||
| if svc.Proxy.TransparentProxy != nil && svc.Proxy.TransparentProxy.OutboundListenerPort != 0 { | ||
| cfg.ProxyOutboundPort = svc.Proxy.TransparentProxy.OutboundListenerPort | ||
| } | ||
|
|
||
| // Exclude envoy_prometheus_bind_addr port from inbound redirection rules. | ||
| if trCfg.PrometheusBindAddr != "" { | ||
| _, port, err := net.SplitHostPort(trCfg.PrometheusBindAddr) | ||
| if err != nil { | ||
| return iptables.Config{}, fmt.Errorf("failed parsing host and port from envoy_prometheus_bind_addr: %s", err) | ||
| } | ||
|
|
||
| cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, port) | ||
| } | ||
|
|
||
| // Exclude envoy_stats_bind_addr port from inbound redirection rules. | ||
| if trCfg.StatsBindAddr != "" { | ||
| _, port, err := net.SplitHostPort(trCfg.StatsBindAddr) | ||
| if err != nil { | ||
| return iptables.Config{}, fmt.Errorf("failed parsing host and port from envoy_stats_bind_addr: %s", err) | ||
| } | ||
|
|
||
| cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, port) | ||
| } | ||
|
|
||
| // Exclude the ListenerPort from Expose configs from inbound traffic redirection. | ||
| for _, exposePath := range svc.Proxy.Expose.Paths { | ||
|
There was a problem hiding this comment. One thing I'm realizing is missing is this bit of magic: If someone enables this, Consul will dynamically expose checks on a listener for each check: Line 3839 in c343544 We don't expose what port is allocated in any of our APIs, similarly to how we don't expose check definitions via any of our APIs, only check statuses. See this comment for more information on why: #7330 (comment) There are a few potential solutions to discover those ports off the top of my head:
There was a problem hiding this comment. So based on the discussion today we should go with #1. The exposed ports are generated in a few places. One is where we add checks: Line 2610 in 0c9555e Line 2541 in 0c9555e In And the other is where we add services with checks: Line 3791 in 0c9555e Line 3818 in 0c9555e In these two other methods we'll need to query There was a problem hiding this comment. That's a great find! Let me address this in a separate PR so that this one can be included in beta2. |
||
| if exposePath.ListenerPort != 0 { | ||
| cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, strconv.Itoa(exposePath.ListenerPort)) | ||
| } | ||
| } | ||
| } | ||
|
|
||
| for _, port := range c.excludeInboundPorts { | ||
| cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, port) | ||
| } | ||
|
|
||
| for _, port := range c.excludeOutboundPorts { | ||
| cfg.ExcludeOutboundPorts = append(cfg.ExcludeOutboundPorts, port) | ||
| } | ||
|
|
||
| for _, cidr := range c.excludeOutboundCIDRs { | ||
| cfg.ExcludeOutboundCIDRs = append(cfg.ExcludeOutboundCIDRs, cidr) | ||
| } | ||
|
|
||
| for _, uid := range c.excludeUIDs { | ||
| cfg.ExcludeUIDs = append(cfg.ExcludeUIDs, uid) | ||
| } | ||
|
|
||
| return cfg, nil | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be valuable to also be able to exclude GIDs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it could be. The main reason we're adding this is to better support the VM use case when you might want to exclude other processes/uids/gids from traffic redirection. I'm inclined to wait for users' feedback on this one because I'm not sure what would be valuable there.