improbable-eng / kedge Goto Github PK

View Code? Open in Web Editor NEW

254.0 254.0 20.0 4.82 MB

kEdge - Kubernetes Edge Proxy for gRPC and HTTP Microservices

License: Apache License 2.0

Shell 0.61% Go 98.79% Makefile 0.29% JavaScript 0.13% Dockerfile 0.17%

frontend go golang k8s kubernetes proxy reverse tls

kedge's People

Contributors

Stargazers

Watchers

Forkers

joshpmcghee kdima bwplotka matiasinsaurralde claudiouzelac linus5 everesio franklinharry topiaruss iinvestplatform forkkit valer-cara brianwong1861 ivan-valkov improbable-os manuhmutua 0xack13 pinkdiamond1

kedge's Issues

resolvers: Use DNS resolution that supports TTL instead of arbitrary ttl.

We use https://github.com/improbable-eng/go-srvlb resolver to watch on resolver changes.

The interval of lookup is based on TTL, but std golang net libraries does not support those.

So either:

*: Refactor error wraps (reduce redundant info)

Error wraps are too verbose. E.g:

errors.Wrapf(err, "error on updating routing on event %v", event)`

Can be reduce to just:

errors.Wrapf(err, "update routing on event %v", event)`

kedge: Implement auth per route logic

There are some strong use cases to give fine-grained control over what permissions are needed for each individual route.

For OIDC it will be just expected permissions per certain route
For TLS certs - expected metadata

Preferably, it would be a separate layer before proper routing. We don't want to mix mapping with authorizing the request. Instead, we want to isolate potential auth bugs (up for discussion).

However, there are some specific arguments not to do it though.

Encourage additional auth per service. is easier to separate logic here and to not use kedge as default auth layer for service. (however, as an example, Nginx is doing exactly that)
Difficulty in maintenance and configuration of these auths per route.

Nevertheless, we can consider doing it if needed.

kedge: Add example kube configs, showing how to deploy kedge

Questions: would it be able to access RTSP connections in another cluster?

Hey, this looks AMAZING! Thank you for this.

I was wondering if it would be possible to access RTSP connections (next to HTTP) in another cluster?

Cédric

kedge: Add graceful shutdown in case of SIGTERM

kedge: Add gRPC adhoc rules

Similar to https://github.com/improbable-eng/kedge/blob/master/proto/kedge/config/http/routes/adhoc.proto we could potentially implement gRPC adhoc rules bases on authority.

winch: Consider ignoring not found auth source (from kube config) on startup -> check it only when used.

winch: Large file downloads might time and therefore give an `ERR_EMPTY_RESPONSE`

When trying to access the /debug/pprof/profile endpoint for a golang webserver with kedge/winch, I get an ERR_EMPTY_RESPONSE.

kedge: Spam of grpc: reset Transport log lines.

grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp <IP>:<PORT> i/o timeout"; Reconnecting to {<IP>:<PORT> {}}

kedge: Implement IPAdhoc and PodAdhoc.

Basically this will allow debug, per container access.

How it should work?
IPAdhoc:

For some specified matcher in form of <ip>.matcher dial to ip and allow only some ports.
PodAdhoc:
For some specified matcher in form of <pod>.matcher - ask Kube API for pod IP (with some cache) and dial to fetched ip and allow only some ports.

winch: Cache kedge DNS resolution to optimize winch

We resolve all configured kEdges on demand. Even when it is used constantly, we perform DNS resolution every each time.

Let's optimize this. (DNS can be flaky)

kedge: Add support for advanced TLS configuration for backends

Right now, there is no possibility to configure correct TLS. The only possibility is to use insecure option.

Sometimes cannot run kubectl logs for longer than couple of minutes (EOF)

Running: kubectl logs <something -f

Gives some logs and after a ~minute it returns error: unexpected EOF

Winch:

WARN[337520] httputil: ReverseProxy read error during body copy: unexpected EOF
  caller=winch.ReverseProxy system=http

Kedge:
time="2018-05-22T13:56:10Z" level=warning msg="httputil: ReverseProxy read error during body copy: context canceled\n" caller="backend reverseProxy" system=http

Reading the blog article/readme, the architecture bears some similarities to the newly introduced Gateways in Istio, that allows bridging multiple kubernetes clusters or any infrastructure for that matter, while still leveraging a TLS infrastructure. (Disclaimer: I am one of the authors of the gateway in Istio). It would be educational and helpful for others (using Istio) to know the drawbacks of the architecture I describe below. If there are any limitations, we would be happy to address them. [sorry for spamming your issue list, but I couldn't get hold of your email]

Here is a simple strawman version of cross cluster communication using the gateways (https://github.com/rshriram/istio_federation_demo) which uses a similar architecture to yours (a globally shared DNS domain, ingress gateway to route to appropriate backend service, etc.). It has end to end mTLS (shared root CA, per cluster intermediate CA, etc.). With that, you would simply be able to do something like http://foo.bar.com, that would be upgraded to mTLS by the local sidecar (istio proxy), and forwarded to the remote gateway (authenticated via mTLS again), and then to the backend service.

Update github.com/rs/cors to at least v1.5.0

The /rs/cors package has this reported CVE CVE-2018-20744 when the CORS policy is set to *. Since the CORS policy is configurable with a flag it is possible a user could configure it to "*" resulting in insecure behaviour.

*: Add support for HTTP CONNECT proxy method.

This will allow to have TLS passthrough on all hops. However it requires Go client supporting HTTP CONNECT, which is scheduled to be in Go 1.10 release.