Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Commit

Permalink
injector: allow redirection of app traffic to itself (#4411)
Browse files Browse the repository at this point in the history
This change allows an app to invoke itself by enabling
the necessary iptables rules. It allows an app to direct
traffic to itself when:
1. app directs traffic to its pod IP
2. app directs traffic to its k8s service IP
   which is then resolved to the local pod IP
   by Envoy.

Resolves #4340

Signed-off-by: Shashank Ram <[email protected]>
  • Loading branch information
shashankram authored Jan 4, 2022
1 parent 0f4fecd commit 97fac56
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 0 deletions.
2 changes: 2 additions & 0 deletions pkg/injector/init_container_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ var _ = Describe("Test functions creating Envoy bootstrap configuration", func()
-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
-A OSM_PROXY_OUT_REDIRECT -p tcp --dport 15000 -j ACCEPT
-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND
-A OSM_PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1500 -j OSM_PROXY_IN_REDIRECT
-A OSM_PROXY_OUTBOUND -o lo -m owner ! --uid-owner 1500 -j RETURN
-A OSM_PROXY_OUTBOUND -m owner --uid-owner 1500 -j RETURN
-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT
Expand Down
9 changes: 9 additions & 0 deletions pkg/injector/iptables.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,15 @@ var iptablesOutboundStaticRules = []string{
// For outbound TCP traffic jump from OUTPUT chain to OSM_PROXY_OUTBOUND chain
"-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND",

// Outbound traffic from Envoy to the local app over the loopback interface should jump to the inbound proxy redirect chain.
// So when an app directs traffic to itself via the k8s service, traffic flows as follows:
// app -> local envoy's outbound listener -> iptables -> local envoy's inbound listener -> app
fmt.Sprintf("-A OSM_PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner %d -j OSM_PROXY_IN_REDIRECT", constants.EnvoyUID),

// Outbound traffic from the app to itself over the loopback interface is not be redirected via the proxy.
// E.g. when app sends traffic to itself via the pod IP.
fmt.Sprintf("-A OSM_PROXY_OUTBOUND -o lo -m owner ! --uid-owner %d -j RETURN", constants.EnvoyUID),

// Don't redirect Envoy traffic back to itself, return it to the next chain for processing
fmt.Sprintf("-A OSM_PROXY_OUTBOUND -m owner --uid-owner %d -j RETURN", constants.EnvoyUID),

Expand Down
2 changes: 2 additions & 0 deletions pkg/injector/iptables_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ func TestGenerateIptablesCommands(t *testing.T) {
-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
-A OSM_PROXY_OUT_REDIRECT -p tcp --dport 15000 -j ACCEPT
-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND
-A OSM_PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1500 -j OSM_PROXY_IN_REDIRECT
-A OSM_PROXY_OUTBOUND -o lo -m owner ! --uid-owner 1500 -j RETURN
-A OSM_PROXY_OUTBOUND -m owner --uid-owner 1500 -j RETURN
-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT
Expand Down

0 comments on commit 97fac56

Please sign in to comment.