Closed klingerf closed 5 years ago
the primary (only?) reason
I can think of a few other reasons one might want to skip the proxy completely:
I'm on the fence as to whether or not we'd want to repurpose the existing CLI flags or create new ones for this.
I think users would expect flags named like this to completely bypass the proxy on those ports, so if we were to remove the full "skip" functionality then we should try to find better names if we can come up with any.
Something similar is needed to talk to external cluster file servers. At the moment its not possible to use ceph-fuse inside of a pod as the required ports are in a range 6800-7300 + some others. So it seems to be better to just skip the proxy by ip?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
@olix0r is this still valid? Seems pretty useful.
As far as I understand, the skip-ports configurations impact both iptables and the proxy today. So, it's probably technically possible to stop setting this configuration on proxy-init, though I'm not clear on the benefits of using the proxy in this scenario.
TCP metrics for now, possibility of TLS in the future (obviously with lots of details to sort out).
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
@grampelberg or @olix0r reopen as per the Feb 27th comment?
I'm looking for a ticket to track TLS for TCP
, and this seems as good as any others, please redirect me if I'm missing a feature request ticket that I should follow instead.
Would you mind opening a new issue that is specific to your use case @007? It is super helpful for scoping to have something that is exactly what you're looking for. Getting details about what protocols you're looking to have mTLS'd, where this all exists in your infrastructure and how they talk together helps make sure the solution is exactly what you want.
Tks @grampelberg, #3207 filed.
The
--skip-inbound-ports
and--skip-outboud-ports
flags passed tolinkerd inject
are used by the proxy-init container to modify the list of ignored ports in the pod's iptables rules. This causes requests to those ports to bypass the proxy altogether.At this point, the primary (only?) reason to use those flags is to accommodate server-speaks-first protocols on non-default ports, for which the proxy cannot reliably determine the protocol. It's possible to configure the proxy to disable protocol detection on specific ports, however, using the following variables:
So it seems feasible that, instead of bypassing the proxy altogether, we could just disable protocol detection, which would result in the proxy being able to proxy these requests as TCP.
I'm on the fence as to whether or not we'd want to repurpose the existing CLI flags or create new ones for this.
Relates to #1281.