search

metal-stack / firewall-controller

A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics
MIT License
47 stars 4 forks source link

nftables and node exporter service are not exportable #31

Closed majst01 closed 4 years ago

majst01 commented 4 years ago 
k --kubeconfig m04 port-forward -n firewall svc/nftables-exporter 9630 9630                                                                                                                                   
error: cannot attach to *v1.Service: invalid service 'nftables-exporter': Service is defined without a selector

same with kubefwd:

kubefwd --kubeconfig m04 svc -n firewall
INFO[18:40:21]  _          _           __             _     
INFO[18:40:21] | | ___   _| |__   ___ / _|_      ____| |    
INFO[18:40:21] | |/ / | | | '_ \ / _ \ |_\ \ /\ / / _  |    
INFO[18:40:21] |   <| |_| | |_) |  __/  _|\ V  V / (_| |    
INFO[18:40:21] |_|\_\\__,_|_.__/ \___|_|   \_/\_/ \__,_|    
INFO[18:40:21]                                              
INFO[18:40:21] Version 1.13.1                               
INFO[18:40:21] https://github.com/txn2/kubefwd              
INFO[18:40:21]                                              
INFO[18:40:21] Press [Ctrl-C] to stop forwarding.           
INFO[18:40:21] 'cat /etc/hosts' to see all host entries.    
INFO[18:40:21] Loaded hosts file /etc/hosts                 
INFO[18:40:21] Hostfile management: Original hosts backup already exists at /root/hosts.original 
WARN[18:40:23] WARNING: No Pod selector for service nftables-exporter in firewall on cluster . 
WARN[18:40:23] WARNING: No Pod selector for service node-exporter in firewall on cluster .
majst01 commented 4 years ago

My wild guess is we simply need to add a selector like:

apiVersion: v1
kind: Service
spec:
  clusterIP: None
  ports:
  - port: 9630
    protocol: TCP
    targetPort: nftexporter
  sessionAffinity: None
  selector:
    app: nftexporter
  type: ClusterIP
mwindower commented 4 years ago

I just tested a curl to the services within the cluster and would not have thought that forwarding those services is possible.

And reading the code of kubefwd, it seems as kubefwd can not forward headless services that don't have pods in the background. kubefwd looks up the pods behind a service and picks one of the podIPs to forward to:

https://github.com/txn2/kubefwd/blob/642fa5e2be7404378e9581ef2a151468337ea31c/pkg/fwdservice/fwdservice.go#L114 https://github.com/txn2/kubefwd/blob/642fa5e2be7404378e9581ef2a151468337ea31c/pkg/fwdservice/fwdservice.go#L52

This is what we could do about it:

majst01 commented 4 years ago

I will add a small explanation to the existing documentation howto use these services.

mwindower commented 4 years ago

The metrics can be accessed like this from within a cluster:

curl nftables-exporter.firewall.svc.cluster.local:9630/metrics
curl node-exporter.firewall.svc.cluster.local:9100/metrics
majst01 commented 4 years ago

added all this to the documentation