danisla
issue hosting a service on proxied pod
My use case is a prometheus exported that scrapes something behind client certs but then runs a metrics endpoint that needs to be exposed as an HTTP endpoint itself.
it seems the iptables config is preventing this and the http service is not accessible. When I go through the process of removing the iptables config it is accessible again (but no tproxy)
Unless im missing something this doesn't seem to be possible with the config here.
Is this something that would be useful to implement?
I found a way around this by removing the sidecar container that is adding the iptables rules that are blocking
Removing the container spec from the chart here https://github.com/danisla/kubernetes-tproxy/blob/master/charts/tproxy/templates/initializer-configmap.yaml#L15
But leaving the volume mounts.
I can see where I have been getting this a bit wrong but I think my problem still exists.
I can see reading the docs closer that service traffic would not be blocked (ie traffic routed via a k8s service) but direct access to a pod would still be.
I have been using kubectl port-forward to test as I have been trying to scrape a Prometheus exporter hosted in the pod that is being proxied.
I don't think that Prometheus would scrape via the service so i would still run into the same issues.
I see that this project seems to be dead. Istio uses (at least till v1.12) the same approach to redirect traffic to their proxy.
They are using additional rules to prevent some traffic from being redirected
-A PREROUTING -p tcp -m tcp --dport 15008 -j RETURN
-A PREROUTING -p tcp -m tcp --dport 22 -j RETURN
-A PREROUTING -p tcp -m tcp --dport 15090 -j RETURN
-A PREROUTING -p tcp -m tcp --dport 15021 -j RETURN
-A PREROUTING -p tcp -m tcp --dport 15020 -j RETURN
