Kubernetes Transparent Proxy
Transparent proxy and filtering for Kubernetes pods.
This project provides transparent proxy to pods using two deployment scenarios:
- On any K8S cluster with manual addition of the init container.
- A K8S 1.7+ cluster with deployment annotations and initializers to inject the init container.
The init container is responsible for adding the firewall rules to redirect outbound http/s traffic to the proxy server.
See the Helm chart README.md for all chart configuration options.
Technology used:
Deploying without initializers
Kubernetes Initializers are in alpha as of 1.7. This section shows how to deploy and use the transparent proxy on a K8S 1.6 cluster.
Figure 1. tproxy diagram
- Install the helm chart:
cd charts/tproxy
helm install -n tproxy .
cd -
- Run the example app:
kubectl apply -f examples/debian-locked-manual.yaml
- Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4
Example output:
https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted
Deploying with Initializers
Using the Kubernetes Initializer simplifies the runtime configuration. The initializer automatically intercepts deployments with the annotation: "initializer.kubernetes.io/tproxy": "true"` and adds the init container to the deployment.
Figure 1. tproxy with initializers diagram
- Create an alpha GKE cluster with initializer support:
gcloud container clusters create tproxy-example \
--zone us-central1-f \
--machine-type n1-standard-1 \
--num-nodes 3 \
--enable-kubernetes-alpha \
--cluster-version 1.7.6
NOTE: Run gcloud container get-server-config --zone us-central1-f
to see all cluster versions.
- Install Helm:
curl -sL https://storage.googleapis.com/kubernetes-helm/helm-v2.5.1-linux-amd64.tar.gz | tar -zxvf - && sudo mv linux-amd64/helm /usr/local/bin/ && rm -Rf linux-amd64
helm init
- Install the Helm Chart:
cd charts/tproxy
helm install -n tproxy --set tproxy.useInitializer=true .
cd -
- Deploy the example app that uses the annotation:
kubectl create -f examples/debian-locked.yaml
- Inspect the logs:
kubectl logs --selector=app=debian-app,variant=locked --tail=4
Example output:
https://www.google.com: 418
https://storage.googleapis.com/solutions-public-assets/: 200
PING www.google.com (209.85.200.147): 56 data bytes
ping: sending packet: Operation not permitted