Skip to content
/ kubernetes-tproxy Public

Kubernetes Transparent Proxy with mitmproxy and initializers

License

Apache-2.0 license
51 stars 13 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

danisla/kubernetes-tproxy

2 Branches2 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

danisladanisla
update to readme and migrate tproxy-test script to configmap
Oct 15, 2017
ac3d09f · Oct 15, 2017

History

46 Commits
charts
charts
Oct 15, 2017
cmd
cmd
Sep 21, 2017
examples
examples
Sep 23, 2017
sidecar
sidecar
Sep 21, 2017
Dockerfile-initializer
Dockerfile-initializer
Sep 21, 2017
Dockerfile-podwatch
Dockerfile-podwatch
Sep 21, 2017
LICENSE
LICENSE
Aug 4, 2017
Makefile
Makefile
Sep 21, 2017
README.md
README.md
Oct 15, 2017
cloudbuild-initializer.yaml
cloudbuild-initializer.yaml
Sep 21, 2017
cloudbuild-podwatch.yaml
cloudbuild-podwatch.yaml
Sep 21, 2017
tproxy_diagram.png
tproxy_diagram.png
Sep 21, 2017
tproxy_initializers_diagram.png
tproxy_initializers_diagram.png
Sep 21, 2017

Repository files navigation

Kubernetes Transparent Proxy

Transparent proxy and filtering for Kubernetes pods.

This project provides transparent proxy to pods using two deployment scenarios:

  1. On any K8S cluster with manual addition of the init container.
  2. A K8S 1.7+ cluster with deployment annotations and initializers to inject the init container.

The init container is responsible for adding the firewall rules to redirect outbound http/s traffic to the proxy server.

See the Helm chart README.md for all chart configuration options.

Technology used:

Deploying without initializers

Kubernetes Initializers are in alpha as of 1.7. This section shows how to deploy and use the transparent proxy on a K8S 1.6 cluster.

Figure 1. tproxy diagram

  1. Install the helm chart:
cd charts/tproxy
helm install -n tproxy .
cd -
  1. Run the example app:
kubectl apply -f examples/debian-locked-manual.yaml
  1. Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4

Example output:

https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted

Deploying with Initializers

Using the Kubernetes Initializer simplifies the runtime configuration. The initializer automatically intercepts deployments with the annotation: "initializer.kubernetes.io/tproxy": "true"` and adds the init container to the deployment.

Figure 1. tproxy with initializers diagram

  1. Create an alpha GKE cluster with initializer support:
gcloud container clusters create tproxy-example \
  --zone us-central1-f \
  --machine-type n1-standard-1 \
  --num-nodes 3 \
  --enable-kubernetes-alpha \
  --cluster-version 1.7.6

NOTE: Run gcloud container get-server-config --zone us-central1-f to see all cluster versions.

  1. Install Helm:
curl -sL https://storage.googleapis.com/kubernetes-helm/helm-v2.5.1-linux-amd64.tar.gz | tar -zxvf - && sudo mv linux-amd64/helm /usr/local/bin/ && rm -Rf linux-amd64

helm init
  1. Install the Helm Chart:
cd charts/tproxy
helm install -n tproxy --set tproxy.useInitializer=true .
cd -
  1. Deploy the example app that uses the annotation:
kubectl create -f examples/debian-locked.yaml
  1. Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4

Example output:

https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted

About

Kubernetes Transparent Proxy with mitmproxy and initializers

Resources

Readme

License

Apache-2.0 license
Activity

Stars

51 stars

Watchers

3 watching

Forks

13 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages