So,
I'm running a cluster using kops, which means I have to specify --host-interface cbr0. kube2iam worked fine when I first tested it, on an existing cluster. However, when including kube2iam as a DaemonSet I on a new cluster, it crashes.
What's going on, and I'm only guessing here, the instances won't bother creating the cbr0 bridge until that node runs a Pod w/ hostNetworking: false, at which point kube2iam can successfully run. Anytime before that, it CrashLoops with a message about the interface not existing (however it happens to format this error message, https://github.com/jtblin/kube2iam/blob/master/iptables/iptables.go#L38)
I'm willing to send in a patch, but haven't found good way without downsides. Thinking of something like this:
--wait-for-interface, which would let us start the server, and asynchronously add the iptables forwarding, in one of three ways:
Loop / Sleep while the interface doesn't exist
Ugly, but works. Uses extra resources while polling. How aggressively we poll determines how reliable it can be made (eg, how small the time window between pod creation and pods requesting creds could be)
Netlink / RTMGRP_LINK
http://man7.org/linux/man-pages/man7/netlink.7.html. We can get notifications when network interfaces are created/deleted / ip addresses changed etc. However, I'm unsure about how well go supports it atm.
This might be the best option.
TTL mangling hack
If neither of the above, it would also be possible to mangle all the packets destined to the meta-data service, unless their TTL had been set to a pre-selected number (used as sign that we don't need to proxy again). This would definitely work, but at the cost of a malicious pod being able to circumvent the proxy at obtain the hosts own IAM creds.
Thoughts?
So,
I'm running a cluster using kops, which means I have to specify
--host-interface cbr0.kube2iamworked fine when I first tested it, on an existing cluster. However, when includingkube2iamas a DaemonSet I on a new cluster, it crashes.What's going on, and I'm only guessing here, the instances won't bother creating the
cbr0bridge until that node runs a Pod w/hostNetworking: false, at which point kube2iam can successfully run. Anytime before that, it CrashLoops with a message about the interface not existing (however it happens to format this error message, https://github.com/jtblin/kube2iam/blob/master/iptables/iptables.go#L38)I'm willing to send in a patch, but haven't found good way without downsides. Thinking of something like this:
--wait-for-interface, which would let us start the server, and asynchronously add the iptables forwarding, in one of three ways:Loop / Sleep while the interface doesn't exist
Ugly, but works. Uses extra resources while polling. How aggressively we poll determines how reliable it can be made (eg, how small the time window between pod creation and pods requesting creds could be)
Netlink / RTMGRP_LINK
http://man7.org/linux/man-pages/man7/netlink.7.html. We can get notifications when network interfaces are created/deleted / ip addresses changed etc. However, I'm unsure about how well go supports it atm.
This might be the best option.
TTL mangling hack
If neither of the above, it would also be possible to mangle all the packets destined to the meta-data service, unless their TTL had been set to a pre-selected number (used as sign that we don't need to proxy again). This would definitely work, but at the cost of a malicious pod being able to circumvent the proxy at obtain the hosts own IAM creds.
Thoughts?