improbable-eng / kedge Goto Github PK
View Code? Open in Web Editor NEWkEdge - Kubernetes Edge Proxy for gRPC and HTTP Microservices
License: Apache License 2.0
kEdge - Kubernetes Edge Proxy for gRPC and HTTP Microservices
License: Apache License 2.0
Running: kubectl logs <something -f
Gives some logs and after a ~minute it returns error: unexpected EOF
Winch:
WARN[337520] httputil: ReverseProxy read error during body copy: unexpected EOF
caller=winch.ReverseProxy system=http
Kedge:
time="2018-05-22T13:56:10Z" level=warning msg="httputil: ReverseProxy read error during body copy: context canceled\n" caller="backend reverseProxy" system=http
We use https://github.com/improbable-eng/go-srvlb resolver to watch on resolver changes.
The interval of lookup is based on TTL, but std golang net
libraries does not support those.
So either:
Similar to https://github.com/improbable-eng/kedge/blob/master/proto/kedge/config/http/routes/adhoc.proto we could potentially implement gRPC adhoc rules bases on authority.
The /rs/cors package has this reported CVE CVE-2018-20744 when the CORS policy is set to *
. Since the CORS policy is configurable with a flag it is possible a user could configure it to "*" resulting in insecure behaviour.
There are some strong use cases to give fine-grained control over what permissions are needed for each individual route.
Preferably, it would be a separate layer before proper routing. We don't want to mix mapping with authorizing the request. Instead, we want to isolate potential auth bugs (up for discussion).
However, there are some specific arguments not to do it though.
Nevertheless, we can consider doing it if needed.
Reading the blog article/readme, the architecture bears some similarities to the newly introduced Gateways in Istio, that allows bridging multiple kubernetes clusters or any infrastructure for that matter, while still leveraging a TLS infrastructure. (Disclaimer: I am one of the authors of the gateway in Istio). It would be educational and helpful for others (using Istio) to know the drawbacks of the architecture I describe below. If there are any limitations, we would be happy to address them. [sorry for spamming your issue list, but I couldn't get hold of your email]
Here is a simple strawman version of cross cluster communication using the gateways (https://github.com/rshriram/istio_federation_demo) which uses a similar architecture to yours (a globally shared DNS domain, ingress gateway to route to appropriate backend service, etc.). It has end to end mTLS (shared root CA, per cluster intermediate CA, etc.). With that, you would simply be able to do something like http://foo.bar.com, that would be upgraded to mTLS by the local sidecar (istio proxy), and forwarded to the remote gateway (authenticated via mTLS again), and then to the backend service.
Basically this will allow debug, per container access.
How it should work?
IPAdhoc:
<ip>.matcher
dial to ip
and allow only some ports.<pod>.matcher
- ask Kube API for pod IP (with some cache) and dial to fetched ip
and allow only some ports.We resolve all configured kEdges on demand. Even when it is used constantly, we perform DNS resolution every each time.
Let's optimize this. (DNS can be flaky)
grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp <IP>:<PORT> i/o timeout"; Reconnecting to {<IP>:<PORT> {}}
Error wraps are too verbose. E.g:
errors.Wrapf(err, "error on updating routing on event %v", event)`
Can be reduce to just:
errors.Wrapf(err, "update routing on event %v", event)`
This will allow to have TLS passthrough on all hops. However it requires Go client supporting HTTP CONNECT, which is scheduled to be in Go 1.10 release.
Right now, there is no possibility to configure correct TLS. The only possibility is to use insecure
option.
When trying to access the /debug/pprof/profile
endpoint for a golang webserver with kedge/winch, I get an ERR_EMPTY_RESPONSE
.
Hey, this looks AMAZING! Thank you for this.
I was wondering if it would be possible to access RTSP connections (next to HTTP) in another cluster?
Cédric
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.