Giter VIP home page Giter VIP logo

Comments (4)

alexellis avatar alexellis commented on June 7, 2024 1

This has been fixed in 0.17.1 - thanks for your feedback and for using inlets.

from inlets-operator.

alexellis avatar alexellis commented on June 7, 2024

Hi thanks for trying out inlets

As far as I knew, the additional ports were already being added as part of the security group configuration. You can check the code if you'd like to see it over at - https://github.com/inlets/cloud-provision/blob/master/provision/ec2.go#L250 - it may potentially need a tweak. Although if you want to use this sooner, you can of course edit the security group manually too.

Can you share the following output please?

Run kubectl get svc -wide in the namespace where the service exists

And also kubectl get svc/NAME -n NAMESPACE -o yaml

For example, if I create an nginx-ingress controller with a TCP routing config, I wouldn't expect the operator to pick that up.

Any LoadBalancer will be picked up - that's the design.

However, you can change this behaviour with the only annotated feature - then you just annotate the LoadBalancers that you want inlets-operator to cater to.

Alex

from inlets-operator.

fedenusy avatar fedenusy commented on June 7, 2024

Output you asked for below, with some pieces redacted. Anytime you see XX.XX.XX.XX that's the EC2 instance's IP address.

kubectl get svc -o wide

NAME                                          TYPE           CLUSTER-IP       EXTERNAL-IP
PORT(S)                                      AGE     SELECTOR
ingress-nginx-bd37f03e-controller             LoadBalancer   10.103.54.90     XX.XX.XX.XX,XX.XX.XX.XX   80:32264/TCP,443:30611/TCP,27017:32396/TCP   33m     app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx-bd37f03e,app.kubernetes.io/name=ingress-nginx

kubectl get svc/NAME -n NAMESPACE -o yaml

apiVersion: v1
kind: Service
metadata:
  annotations:
    meta.helm.sh/release-name: ingress-nginx-bd37f03e
    meta.helm.sh/release-namespace: REDACTED
  creationTimestamp: "2023-05-02T21:57:50Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx-bd37f03e
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.7.0
    helm.sh/chart: ingress-nginx-4.6.0
  name: ingress-nginx-bd37f03e-controller
  namespace: REDACTED
  resourceVersion: "1578992"
  uid: ffe92ee5-3815-43bf-b170-821e07adc684
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: 10.103.54.90
  clusterIPs:
  - 10.103.54.90
  externalIPs:
  -  XX.XX.XX.XX
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    nodePort: 32264
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    nodePort: 30611
    port: 443
    protocol: TCP
    targetPort: https
  - name: 27017-tcp
    nodePort: 32396
    port: 27017
    protocol: TCP
    targetPort: 27017-tcp
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx-bd37f03e
    app.kubernetes.io/name: ingress-nginx
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - ip:  XX.XX.XX.XX

from inlets-operator.

alexellis avatar alexellis commented on June 7, 2024

Thanks for sharing this output.

So I had a look at the provisioning code again.

If we pass in an extra flag to the library it will open up the security group from 1024 to 65535. If there is nothing listening on these ports, it's probably not as "insecure" as you suggest.

Alternatively, we could update the library to take in a number of ports from the LB.

The reason for the wider range being available is that when using the inletsctl tool to create tunnel VMs outside of the operator, you don't know what ports the user will need, so all are available - and then as and when the client connects - the ports are opened on the server.

Both inletsctl and inlets-operator use the same library.

So we could either trigger the existing code to open up 1024 to 65535 - or we could do some additional work to pass in a list of ports, that is only used when called by inlets-operator

from inlets-operator.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.