linkerd / linkerd-inject Goto Github PK

When trying to run linkerd-inject on a malformed yml file, linkerd-inject returns an empty string. This makes it hard to debug what the issue is. It should error/throw an exception instead.

I just fixed this in Istio-init. See istio/old_issues_repo#34 for context.

Your init container need priviledged=true security context

I was looking at this project and had a question. In prepare_proxy.sh, don't we need to add a rule to the PREROUTING chain as well, in order to handle requests originating from a docker container?

Referring to fabric8io/docker-iptables-redirector#1:

(2) Adding rules to not only OUTPUT chain but also PREROUTING chain. Rules in OUTPUT chain seems to redirect traffic from host but not from containers. If you want to redirect traffic from containers (which I assume is a pretty common use-case) we need to add rules to PREROUTING, too. See jtblin/aws-mock-metadata#5

(which in turn refers to jtblin/aws-mock-metadata#5)

see if we can refactor prepare_proxy.sh to take host/port arguments only rather than a -useServiceVip, so that we can set up rules for non-kubernetes envs

Hi folks,

I love the work you're doing and I am considering implementing linkerd in our stack. One of the selling points for me is the transparent proxy support, which is especially important as we have some legacy applications that simply do not work with http_proxy configuration (or HTTP proxies full stop).

Interestingly, we actually have a need to run a HTTP proxy (rules imposed by the security team), so we transparently proxy outbound traffic using a combination of iptables rules and Squid.

This works well, but requires DNS to be resolvable by the application, as name resolution occurs before the HTTP request. How do you deal with this? In #1 there is this note, but I struggle to find any elaboration:

When the services call each other, the service names need to be resolvable by kubedns so that the packet has an IP and can be routed (hence renaming world-v1 to world).

Does this depend on "kubedns"? Apologies for the lack of understanding, my only container scheduler experience is limited to AWS' EC2 Container Service. How would you implement this outside of K8s? Right now my guess is maybe install dnsmasq, make all resolution resolve to some made-up address (169.254.x.x.) and have iptables forward the traffic to linkerd. Does that sound doable?