search

kubenetworks / kubevpn

KubeVPN offers a Cloud Native Dev Environment that connects to kubernetes cluster network.
https://www.kubevpn.cn
MIT License
558 stars 45 forks source link

can 'kubevpn proxy' support user customizing local port #174

Closed kyr1eeee closed 8 months ago

kyr1eeee commented 8 months ago

Hello! After using this fantastic tool for some time, i have to say the kubevpn proxy is so convenient. And i encountered few problems when using kubevpn proxy. In my k8s cluster, there is a testservice deployment, there shows the containers manifests:

Containers:
   hello:
    Image:      xx
    Port:       8003/TCP
    Host Port:  0/TCP
   hi:
    Image:      yy
    Port:       8004/TCP
    Host Port:  0/TCP

For now, after running kubevpn proxy deployment/testservice --headers a=1. the envoy config:

- Ports:
  - containerPort: 8003
    protocol: TCP
  - containerPort: 8004
    protocol: TCP
  Rules:
  - Headers:
      a: "1"
    LocalTunIPv4: 223.254.0.102
    LocalTunIPv6: efff:ffff:ffff:ffff:ffff:ffff:ffff:999b
  Uid: deployments.apps.testservice

Requesting port 8003 of testservice with headers a=1, the req will be proxied to local port 8003. Requesting port 8004 of testservice with headers a=1, the req will be proxied to local port 8004. And it works fine in this scenario.

BUT IN THE BELOW TWO SCENARIO, LOCAL PORT CONFLICTS OCCURS: scenario 1: when i have two service 'testservice1' and 'testservice2', the container manifest: testservice1:

Containers:
   hello:
    Image:      xx
    Port:       8003/TCP
    Host Port:  0/TCP

testservice2:

Containers:
   hi:
    Image:      xx
    Port:       8003/TCP
    Host Port:  0/TCP

And i want to proxy the two service to my local pc, but the two service will both proxied to port 8003 of my local pc, it will not be feasible. scenario 2: when i have a service 'testservice3', the container manifest:

Containers:
   hello:
    Image:      xx
    Port:       43029/TCP
    Host Port:  0/TCP

and i want to proxy this testservice to my local pc, but the container port 43029 has been used by a import process in my local pc. it will not be feasible neither.

So i wonder if kubevpn proxy cmd can add an proxy port option for special user, like kubevpn proxy deployment/testservice --headers a=1 --portMap 8003:28003. And the envoy config can be like this:

ENVOY_CONFIG:
----
- Ports:
  - containerPort: 8003
    protocol: TCP
  - containerPort: 8004
    protocol: TCP
  Rules:
  - Headers:
      a: "1"
    LocalTunIPv4: 223.254.0.102
    LocalTunIPv6: efff:ffff:ffff:ffff:ffff:ffff:ffff:999b
    PortMap:
    - 8003:28003
  Uid: deployments.apps.testservice

So control-plane can create local endpoint 223.254.0.102:28003 . Request with header 'a=1' will be proxied to local pc' 28003 without port conflict. And containerPort 8004 can not find it's PortMap, it can still be proxied to local pc' 8004. So this feature will not influence the user who do not need customized local port in proxy scenario.

wencaiwulue commented 8 months ago

Hello! After using this fantastic tool for some time, i have to say the kubevpn proxy is so convenient. And i encountered few problems when using kubevpn proxy. In my k8s cluster, there is a testservice deployment, there shows the containers manifests:

Containers:
   hello:
    Image:      xx
    Port:       8003/TCP
    Host Port:  0/TCP
   hi:
    Image:      yy
    Port:       8004/TCP
    Host Port:  0/TCP

For now, after running kubevpn proxy deployment/testservice --headers a=1. the envoy config:

- Ports:
  - containerPort: 8003
    protocol: TCP
  - containerPort: 8004
    protocol: TCP
  Rules:
  - Headers:
      a: "1"
    LocalTunIPv4: 223.254.0.102
    LocalTunIPv6: efff:ffff:ffff:ffff:ffff:ffff:ffff:999b
  Uid: deployments.apps.testservice

Requesting port 8003 of testservice with headers a=1, the req will be proxied to local port 8003. Requesting port 8004 of testservice with headers a=1, the req will be proxied to local port 8004. And it works fine in this scenario.

BUT IN THE BELOW TWO SCENARIO, LOCAL PORT CONFLICTS OCCURS: scenario 1: when i have two service 'testservice1' and 'testservice2', the container manifest: testservice1:

Containers:
   hello:
    Image:      xx
    Port:       8003/TCP
    Host Port:  0/TCP

testservice2:

Containers:
   hi:
    Image:      xx
    Port:       8003/TCP
    Host Port:  0/TCP

And i want to proxy the two service to my local pc, but the two service will both proxied to port 8003 of my local pc, it will not be feasible. scenario 2: when i have a service 'testservice3', the container manifest:

Containers:
   hello:
    Image:      xx
    Port:       43029/TCP
    Host Port:  0/TCP

and i want to proxy this testservice to my local pc, but the container port 43029 has been used by a import process in my local pc. it will not be feasible neither.

So i wonder if kubevpn proxy cmd can add an proxy port option for special user, like kubevpn proxy deployment/testservice --headers a=1 --portMap 8003:28003. And the envoy config can be like this:

ENVOY_CONFIG:
----
- Ports:
  - containerPort: 8003
    protocol: TCP
  - containerPort: 8004
    protocol: TCP
  Rules:
  - Headers:
      a: "1"
    LocalTunIPv4: 223.254.0.102
    LocalTunIPv6: efff:ffff:ffff:ffff:ffff:ffff:ffff:999b
    PortMap:
    - 8003:28003
  Uid: deployments.apps.testservice

So control-plane can create local endpoint 223.254.0.102:28003 . Request with header 'a=1' will be proxied to local pc' 28003 without port conflict. And containerPort 8004 can not find it's PortMap, it can still be proxied to local pc' 8004. So this feature will not influence the user who do not need customized local port in proxy scenario.

yes, it's a good idea, i will add this feature as soon as possible

wencaiwulue commented 8 months ago

@kyr1eeee i finished this feature at this pr: https://github.com/kubenetworks/kubevpn/pull/176, you can build kubevpn by yourself, or you can wait maybe one/two weeks to release new version ~

kyr1eeee commented 8 months ago

@kyr1eeee i finished this feature at this pr: #176, you can build kubevpn by yourself, or you can wait maybe one/two weeks to release new version ~

ok, thanks

kyr1eeee commented 8 months ago

it seems to be not perfect. If user A proxy deployment/test-svc with portMap 18003:8003, when user B proxy deployment/test-svc with portMap 28003:8003,user B's rule will not work. The portMap should added to a rule?

wencaiwulue commented 8 months ago

it seems to be not perfect. If user A proxy deployment/test-svc with portMap 18003:8003, when user B proxy deployment/test-svc with portMap 28003:8003,user B's rule will not work. The portMap should added to a rule?

Yes. You are right. It's my fault. I will fixed it as soon as possible

wencaiwulue commented 8 months ago

it seems to be not perfect. If user A proxy deployment/test-svc with portMap 18003:8003, when user B proxy deployment/test-svc with portMap 28003:8003,user B's rule will not work. The portMap should added to a rule?

Yes. You are right. It's my fault. I will fixed it as soon as possible

@kyr1eeee fix it at pr https://github.com/kubenetworks/kubevpn/pull/182

wencaiwulue commented 8 months ago

already released new version v2.2.3, add this feature, you can have a try ~

kyr1eeee commented 8 months ago

it still has a bug, in daemon/action/proxy.go:Proxt() func, the portMap should be updated as the req.PortMap, otherwise the control-plane rule will be mixed.

    svr.connect.Workloads = req.Workloads
    svr.connect.Headers = req.Headers
        //svr.connect.PortMap= req.PortMap
    err = svr.connect.CreateRemoteInboundPod(ctx)
kyr1eeee commented 8 months ago

@wencaiwulue

wencaiwulue commented 8 months ago

it still has a bug, in daemon/action/proxy.go:Proxt() func, the portMap should be updated as the req.PortMap, otherwise the control-plane rule will be mixed.

  svr.connect.Workloads = req.Workloads
  svr.connect.Headers = req.Headers
        //svr.connect.PortMap= req.PortMap
  err = svr.connect.CreateRemoteInboundPod(ctx)

Yes, you are right. here is pr https://github.com/kubenetworks/kubevpn/pull/190

wencaiwulue commented 8 months ago

@kyr1eeee already redo-released version v2.2.3. You can use command kubevpn upgrade to have a try ~. Thanks for report this bug

kyr1eeee commented 8 months ago

@kyr1eeee already redo-released version v2.2.3. You can use command kubevpn upgrade to have a try ~. Thanks for report this bug

OK, i just wanna have a try for the proxy mode.