kubernetes-tproxy
kubernetes-tproxy copied to clipboard
danisla
Kubernetes Transparent Proxy with mitmproxy and initializers
Kubernetes Transparent Proxy
Transparent proxy and filtering for Kubernetes pods.
This project provides transparent proxy to pods using two deployment scenarios:
- On any K8S cluster with manual addition of the init container.
- A K8S 1.7+ cluster with deployment annotations and initializers to inject the init container.
The init container is responsible for adding the firewall rules to redirect outbound http/s traffic to the proxy server.
See the Helm chart README.md for all chart configuration options.
Technology used:
- Kubernetes Initializers
- Kubernetes Controllers
- Kubernetes RBAC
- mitmproxy
- Kubernetes Helm
- Google Container Engine
Deploying without initializers
Kubernetes Initializers are in alpha as of 1.7. This section shows how to deploy and use the transparent proxy on a K8S 1.6 cluster.
Figure 1. tproxy diagram
- Install the helm chart:
cd charts/tproxy
helm install -n tproxy .
cd -
- Run the example app:
kubectl apply -f examples/debian-locked-manual.yaml
- Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4
Example output:
https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted
Deploying with Initializers
Using the Kubernetes Initializer simplifies the runtime configuration. The initializer automatically intercepts deployments with the annotation: "initializer.kubernetes.io/tproxy": "true"` and adds the init container to the deployment.
Figure 1. tproxy with initializers diagram
- Create an alpha GKE cluster with initializer support:
gcloud container clusters create tproxy-example \
--zone us-central1-f \
--machine-type n1-standard-1 \
--num-nodes 3 \
--enable-kubernetes-alpha \
--cluster-version 1.7.6
NOTE: Run
gcloud container get-server-config --zone us-central1-fto see all cluster versions.
- Install Helm:
curl -sL https://storage.googleapis.com/kubernetes-helm/helm-v2.5.1-linux-amd64.tar.gz | tar -zxvf - && sudo mv linux-amd64/helm /usr/local/bin/ && rm -Rf linux-amd64
helm init
- Install the Helm Chart:
cd charts/tproxy
helm install -n tproxy --set tproxy.useInitializer=true .
cd -
- Deploy the example app that uses the annotation:
kubectl create -f examples/debian-locked.yaml
- Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4
Example output:
https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted
danisla