-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linkerd #64
Comments
/cc @edwarnicke @ThetaDR Could you please double-check our investigation and provide results? |
Double-checked problem that was described above. linkerd-proxy really looks at Destination ip address of TCP-packet. Here in linkerd-proxy we can see that linkerd-proxy makes api call to discovery service with destionation addr. Linkerd's discovery service tries to find who owns this ip address among kubernetes services and pods HERE. If Discovery doesn't find anything, linkerd-proxy just forwards the TCP-packet to its initial destination. In our case, when we send TCP-packet from We decided to make Then we add routing rule to workload1 to route all traffic that has destination ip in
And we also add iptables rule to
This rule redirects all traffic from nsm interface to outbound-proxy, which looks at destination IP of a packet and discovers needed service. The only problem we have here is that this routing rule redirects all traffic to nsm interface if its destination ip is in Possible solutions
|
Solution with ipset, iproute2 and dnsmasqWe can create And the last thing, we use All this work should be done on NSC on the first cluster.
|
Solution with ip mutationsMain idea
It solves the problem with overlapping subnets. Now Steps
|
Why use the mark? Why not just change the first byte without the mark?
Is this mark just marking packets that should go out the NSM interface?
Couldn't all of this be done in the proxy rather than the NSC? |
How do we know that 199.0.0.0/8 is safe to use for this purpose? Is there a corresponding safe address to do this for IPv6? |
Have you looked at link local addresses? |
1. Why use the mark? Why not just change the first byte without the mark? 2. Is this mark just marking packets that should go out the NSM interface? 3. Couldn't all of this be done in the proxy rather than the NSC? 4. How do we know that 199.0.0.0/8 is safe to use for this purpose? Is there a corresponding safe address to do this for IPv6? 5. Have you looked at link local addresses? |
At this moment we found, that Linkerd is using IP addresses for endpoint identity
For example, here is using a destination ip from the tcp packet (e.g. 10.96.5.1) https://github.com/linkerd/linkerd2-proxy/blob/main/linkerd/service-profiles/src/client.rs#L133
In the extension use-case we have this datapath:
At step 4 we have destination IP of the NSM interface in the outgoing packet
And we need to replace it to the Workload IP to make Linkerd work
Steps:
The text was updated successfully, but these errors were encountered: