Skip to content
This repository has been archived by the owner on Mar 5, 2024. It is now read-only.

Supports use of ! prefix for interface name #54

Merged
merged 2 commits into from
Apr 28, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,15 @@ Please also make note of how to configure IAM in your AWS account; notes in [doc
Kiam is split into two processes that run independently.

### Agent
This is the process that would typically be deployed as a DaemonSet to ensure that Pods have no access to the AWS Metadata API. Instead, the agent runs an HTTP proxy which intercepts credentials requests and passes on anything else.
This is the process that would typically be deployed as a DaemonSet to ensure that Pods have no access to the AWS Metadata API. Instead, the agent runs an HTTP proxy which intercepts credentials requests and passes on anything else. An DNAT iptables [rule](cmd/agent/iptables.go) is required to intercept the traffic. The agent is capable of adding and removing the required rule for you through use of the `--iptables` [flag](cmd/agent/main.go). This is the name of the interface where pod traffic originates and it is different for the various CNI implementations. The flag also supports the `!` prefix for inverted matches should you need to match all but one interface.

##### Typical CNI Interface Names #####

| CNI | Interface | Notes |
|-----|-----------|-------|
| [cni-ipvlan-vpc-k8s](https://github.com/lyft/cni-ipvlan-vpc-k8s) | `!eth0` | This CNI plugin attaches multiple ENIs to the instance. Typically eth1-ethN (N depends on the instance type) are used for pods which leaves eth0 for the kubernetes control plane. The ! prefix on the interface name inverts the match so metadata service traffic from all interfaces except eth0 will be sent to the kiam agent. |
| [weave](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/) | `weave` | |


### Server
This process is responsible for connecting to the Kubernetes API Servers to watch Pods and communicating with AWS STS to request credentials. It also maintains a cache of credentials for roles currently in use by running pods- ensuring that credentials are refreshed every few minutes and stored in advance of Pods needing them.
Expand Down
10 changes: 8 additions & 2 deletions cmd/agent/iptables.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package main
import (
"fmt"
"github.com/coreos/go-iptables/iptables"
"strings"
)

type rules struct {
Expand All @@ -42,14 +43,19 @@ func (r *rules) Add() error {
}

func (r *rules) ruleSpec() []string {
return []string{
rules := []string{
"-p", "tcp",
"-d", metadataAddress,
"--dport", "80",
"-j", "DNAT",
"--to-destination", r.kiamAddress(),
"-i", r.hostInterface,
}
if strings.HasPrefix(r.hostInterface, "!") {
rules = append(rules, "!")
}
rules = append(rules, "-i", strings.TrimPrefix(r.hostInterface, "!"))

return rules
}

func (r *rules) Remove() error {
Expand Down