Skip to content

Kubernetes Transparent Proxy with mitmproxy and initializers

License

Notifications You must be signed in to change notification settings

danisla/kubernetes-tproxy

Folders and files

NameName
Last commit message
Last commit date
Oct 15, 2017
Sep 21, 2017
Sep 23, 2017
Sep 21, 2017
Sep 21, 2017
Sep 21, 2017
Aug 4, 2017
Sep 21, 2017
Oct 15, 2017
Sep 21, 2017
Sep 21, 2017
Sep 21, 2017
Sep 21, 2017

Repository files navigation

Kubernetes Transparent Proxy

Transparent proxy and filtering for Kubernetes pods.

This project provides transparent proxy to pods using two deployment scenarios:

  1. On any K8S cluster with manual addition of the init container.
  2. A K8S 1.7+ cluster with deployment annotations and initializers to inject the init container.

The init container is responsible for adding the firewall rules to redirect outbound http/s traffic to the proxy server.

See the Helm chart README.md for all chart configuration options.

Technology used:

Deploying without initializers

Kubernetes Initializers are in alpha as of 1.7. This section shows how to deploy and use the transparent proxy on a K8S 1.6 cluster.

Figure 1. tproxy diagram

  1. Install the helm chart:
cd charts/tproxy
helm install -n tproxy .
cd -
  1. Run the example app:
kubectl apply -f examples/debian-locked-manual.yaml
  1. Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4

Example output:

https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted

Deploying with Initializers

Using the Kubernetes Initializer simplifies the runtime configuration. The initializer automatically intercepts deployments with the annotation: "initializer.kubernetes.io/tproxy": "true"` and adds the init container to the deployment.

Figure 1. tproxy with initializers diagram

  1. Create an alpha GKE cluster with initializer support:
gcloud container clusters create tproxy-example \
  --zone us-central1-f \
  --machine-type n1-standard-1 \
  --num-nodes 3 \
  --enable-kubernetes-alpha \
  --cluster-version 1.7.6

NOTE: Run gcloud container get-server-config --zone us-central1-f to see all cluster versions.

  1. Install Helm:
curl -sL https://storage.googleapis.com/kubernetes-helm/helm-v2.5.1-linux-amd64.tar.gz | tar -zxvf - && sudo mv linux-amd64/helm /usr/local/bin/ && rm -Rf linux-amd64

helm init
  1. Install the Helm Chart:
cd charts/tproxy
helm install -n tproxy --set tproxy.useInitializer=true .
cd -
  1. Deploy the example app that uses the annotation:
kubectl create -f examples/debian-locked.yaml
  1. Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4

Example output:

https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted

About

Kubernetes Transparent Proxy with mitmproxy and initializers

Resources

License

Stars

Watchers

Forks

Packages

No packages published