ip-masq-agent-v2 aims to solve more specific networking cases, allow for more configuration options, and improve observability compared to the original.

ip-masq-agent-v2

Based on the original ip-masq-agent, v2 aims to solve more specific networking cases, allow for more configuration options, and improve observability. This includes:

  • Merging configuration from multiple sources
  • Support for health checking
  • Better detection of problematic and conflicting configurations

Overview

The ip-masq-agent configures iptables rules to MASQUERADE traffic outside link-local (optional, enabled by default) and additional arbitrary IP ranges.

It creates an iptables chain called IP-MASQ-AGENT, which contains match rules for link local (169.254.0.0/16) and each of the user-specified IP ranges. It also creates a rule in POSTROUTING that jumps to this chain for any traffic not bound for a LOCAL destination.

IPs that match the rules (except for the final rule) in IP-MASQ-AGENT are not subject to MASQUERADE via the IP-MASQ-AGENT chain (they RETURN early from the chain). The final rule in the IP-MASQ-AGENT chain will MASQUERADE any non-LOCAL traffic.

RETURN in IP-MASQ-AGENT resumes rule processing at the next rule the calling chain, POSTROUTING. Take care to avoid creating additional rules in POSTROUTING that cause packets bound for your configured ranges to undergo MASQUERADE.

Launching the agent as a DaemonSet

This repo includes an example yaml file that can be used to launch the ip-masq-agent as a DaemonSet in a Kubernetes cluster.

kubectl create -f ip-masq-agent.yaml

The spec in ip-masq-agent.yaml specifies the kube-system namespace for the DaemonSet Pods.

Configuring the agent

Important: You should not attempt to run this agent in a cluster where the Kubelet is also configuring a non-masquerade CIDR. You can pass --non-masquerade-cidr=0.0.0.0/0 to the Kubelet to nullify its rule, which will prevent the Kubelet from interfering with this agent.

By default, the agent is configured to treat the three private IP ranges specified by RFC 1918 as non-masquerade CIDRs. These ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. To change this behavior, see the flags section below. The agent will also treat link-local (169.254.0.0/16) as a non-masquerade CIDR by default.

By default, the agent is configured to reload its configuration from the /etc/config/ip-masq-agent file in its container every 60 seconds.

The agent configuration file should be written in yaml or json syntax, and may contain three optional keys:

  • nonMasqueradeCIDRs []string: A list strings in CIDR notation that specify the non-masquerade ranges.
  • masqLinkLocal bool: Whether to masquerade traffic to 169.254.0.0/16. False by default.
  • masqLinkLocalIPv6 bool: Whether to masquerade traffic to fe80::/10. False by default.
  • resyncInterval string: The interval at which the agent attempts to reload config from disk. The syntax is any format accepted by Go's time.ParseDuration function.

The agent will look for a config file in its container at /etc/config/ip-masq-agent. This file can be provided via a ConfigMap, plumbed into the container via a ConfigMapVolumeSource. As a result, the agent can be reconfigured in a live cluster by creating or editing this ConfigMap.

This repo includes a directory-representation of a ConfigMap that can configure the agent (the agent-config directory). To use this directory to create the ConfigMap in your cluster:

kubectl create configmap ip-masq-agent --from-file=agent-config --namespace=kube-system

Note that we created the ConfigMap in the same namespace as the DaemonSet Pods, and named the ConfigMap to match the spec in ip-masq-agent.yaml. This is necessary for the ConfigMap to appear in the Pods' filesystems.

Agent Flags

The agent accepts two flags, which may be specified in the yaml file.

masq-chain : The name of the iptables chain to use. By default set to IP-MASQ-AGENT

nomasq-all-reserved-ranges : Whether or not to masquerade all RFC reserved ranges when the configmap is empty. The default is false. When false, the agent will masquerade to every destination except the ranges reserved by RFC 1918 (namely 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). When true, the agent will masquerade to every destination that is not marked reserved by an RFC. The full list of ranges is (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, and 240.0.0.0/4). Note however, that this list of ranges is overridden by specifying the nonMasqueradeCIDRs key in the agent configmap.

enable-ipv6 : Whether to configurate ip6tables rules. By default enable-ipv6 is false.

Rationale

(from the incubator proposal)

This agent solves the problem of configuring the CIDR ranges for non-masquerade in a cluster (via iptables rules). Today, this is accomplished by passing a --non-masquerade-cidr flag to the Kubelet, which only allows one CIDR to be configured as non-masquerade. RFC 1918, however, defines three ranges (10/8, 172.16/12, 192.168/16) for the private IP address space.

Some users will want to communicate between these ranges without masquerade - for instance, if an organization's existing network uses the 10/8 range, they may wish to run their cluster and Pods in 192.168/16 to avoid IP conflicts. They will also want these Pods to be able to communicate efficiently (no masquerade) with each-other and with their existing network resources in 10/8. This requires that every node in their cluster skips masquerade for both ranges.

We are trying to eliminate networking code from the Kubelet, so rather than extend the Kubelet to accept multiple CIDRs, ip-masq-agent allows you to run a DaemonSet that configures a list of CIDRs as non-masquerade.

Developing

Clone the repo to $GOPATH/src/github.com/Azure/ip-masq-agent-v2.

The build tooling is based on thockin/go-build-template.

Run make or make build to compile the ip-masq-agent. This will use a Docker image to build the agent, with the current directory volume-mounted into place. This will store incremental state for the fastest possible build. Run make all-build to build for all architectures.

Run make test to run the unit tests.

Run make container to build the container image. It will calculate the image tag based on the most recent git tag, and whether the repo is "dirty" since that tag (see make version). Run make all-container to build containers for all architectures.

Run make push to push the container image to REGISTRY. Run make all-push to push the container images for all architectures.

Run make clean to clean up.

Owner
Microsoft Azure
APIs, SDKs and open source projects from Microsoft Azure
Microsoft Azure
https://github.com/Azure/ip-masq-agent-v2
Comments
  • Migrate to semantic versioning

    Migrate to semantic versioning

    Semantic Versioning (or SemVer) is a universally accepted format to tag your release packages/modules etc. It has vX.Y.Z format where X is a major version number, Y is a minor version number and Z is patch version number (translated as vMajor.Minor.Patch).

    Also keeping consistent with Upstream fork versioning scheme, which will help avoid confusion. Doing this before anyone has taken dependency on releases.

  • Update Kubernetes to v1.23.0 from v1.13.0-alpha

    Update Kubernetes to v1.23.0 from v1.13.0-alpha

    Need to update Kubernetes version for security fixes (mentioned in issue #30). Upstream fork used v1.13.0-alpha, which has some security issues. We need at least v1.19.15 to fix all these: image

    Part of what makes this complicated is usage from deprecated Kubernetes packages from which no longer exists:

    1. k8s.io/apiserver/pkg/util/logs moved in https://github.com/kubernetes/kubernetes/pull/48581 https://github.com/kubernetes/kubernetes/pull/79198 and even ended up in kubectl repo, only to be removed later: https://github.com/kubernetes/kubectl/commit/466b48353181e0479672d43c69fb6d42a0c9264f

    2. k8s.io/kubernetes/pkg/util/dbus removed in: https://github.com/kubernetes/kubernetes/pull/81517

    3. k8s.io/kubernetes/pkg/version/verflag removed in: https://github.com/kubernetes/kubernetes/pull/68922

    Workarounds:

    1. Switching to klog from glog, which is an up-to-date replacement. k8s.io/component-base/logs pairs with it and replaces k8s.io/apiserver/pkg/util/logs.
    2. Following their example which relies on updated iptable package: https://github.com/kubernetes/kubernetes/pull/81517
    3. k8s.io/component-base/version/verflag replaces this.

    Also updating other dependancies while we are at it.

  • Add ci-pipeline for this repo.

    Add ci-pipeline for this repo.

    Thanks guys for letting me add this PR for your repo and I hope this helps @mattstam πŸ™β˜•οΈβ€οΈ also I think we can do separate pipeline for ghcr images as build and publish I don't quiet know the exact use-case so we can chat about it.

    This PR focuses on adding end-to-end pipeline and seems like currently tests are not working so we can do test PR separately and then all we need to do is enable the last line of this build fencing file with the test fixture.

    • 1 file with lint, build and test will make sure all check happens at once and like the screenshot shows below it will work as follows:

    Thanks

    image

    image

  • Dynamically update base image to specific architecture

    Dynamically update base image to specific architecture

    The previous update to distroless base image was not compatible with all architectures.

    In https://github.com/kubernetes/release/tree/master/images/build/distroless-iptables they publish for each architecture. However, staging-k8s.gcr.io is not publicly accessible. Ran the same make all-push but pointing at a AKS base image CR 'baseosscr.azurecr.io' which can be pulled from anywhere.

  • Switch base image to distroless-iptables

    Switch base image to distroless-iptables

    Roughly the same as @rikatz's rationale:

    we need to reduce costs (and by reducing costs, reducing image size) we need to use something with a smaller footprint and reduce the amount of packages, and as a result the amount of CVEs in image package. kube-proxy exists in all nodes (unless you use a CNI that implements its features) so it is a good candidate

    Same as kube-proxy and also keeping in sync with what they v1 did: https://github.com/kubernetes-sigs/ip-masq-agent/commit/cf9563a9605c65fc9d67dc8391d61bad89fc3295

  • Initialize logging flags

    Initialize logging flags

    klog has slightly different initialization behavior from the previously used glog. klog.InitFlags() must be called at startup time to handle the verbosity flags (e.g. --v=2).

  • Add CI for multi-arch builds

    Add CI for multi-arch builds

    With this change, one docker manifest for multiple platforms is used when the main image tag <registry>/<path>/<bin>:<version>: image

    This means that the appropriate image will be used depending on the platform that pulls it, allowing for full multi-arch usage.

    To use simply run make all-manifest create a manifest for all platforms listed in the Makefile.

    (also adding IBM's arch iptables base image)

  • Update usage examples, README, and CHANGELOG formatting

    Update usage examples, README, and CHANGELOG formatting

    Bunch of miscellaneous changes:

    • Reference MCR image in examples
    • Switch to -reconciled since it matches what cloud provider will likely use for maximum clarity.
    • Add some missing content in README
    • CHANGELOG references PR number, which you would have to know before hand. Keep formatting on releases page but removing that content from CHANGELOG so it's practical to update once per PR.
  • Update publish action to support semantic versioning

    Update publish action to support semantic versioning

    πŸ’‘β˜•οΈ oh, a quick note: this versioning might not play nice with the release (publish mcr workflow) because of the change log action, so I would recommend if you want to keep β€œv” you could add that in your publishing tag file.

    • quickest solution will be here add β€œv” as character before the versioning for β€œVERSION” variable: https://github.com/Azure/ip-masq-agent-v2/blob/master/.github/workflows/build-publish-mcr.yml#L66
    • Change this line 66 from REGISTRY=${{ secrets.AZURE_REGISTRY_SERVER }}/public/aks VERSION=${{ steps.changelog_reader.outputs.version }} make push to REGISTRY=${{ secrets.AZURE_REGISTRY_SERVER }}/public/aks VERSION=v${{ steps.changelog_reader.outputs.version }} make push
    • Changed bit is: VERSION=v${{ steps.changelog_reader.outputs.version }} make push added v so keep change-log as without v.

    FYI and Cc: @peterbom in case I am not around.

    Thank you @Tatsinnit for this! πŸ™

  • Update to kubernetes v1.16.15 + klog/v2

    Update to kubernetes v1.16.15 + klog/v2

    Need to update Kubernetes version for security fixes. Part of what makes this difficult is usage from deprecated Kubernetes packages from which no longer exists.

    k8s.io/apiserver/pkg/util/logs moved in https://github.com/kubernetes/kubernetes/pull/48581 https://github.com/kubernetes/kubernetes/pull/79198 and even ended up in kubectl repo, only to be removed later: https://github.com/kubernetes/kubectl/commit/466b48353181e0479672d43c69fb6d42a0c9264f

    k8s.io/kubernetes/pkg/util/dbus moved in: https://github.com/kubernetes/kubernetes/pull/81517

    k8s.io/kubernetes/pkg/version/verflag moved in: https://github.com/kubernetes/kubernetes/pull/68922 Not critical enough to warrant an immediate replacement. Removing for now.

    Since updating dependancies, also switching to klog (https://github.com/kubernetes/klog) from glog, which is an up-to-date replacement.

  • Update kubernetes dependancy and fix modules.txt for CI lint

    Update kubernetes dependancy and fix modules.txt for CI lint

    Going from kubernetes version v0.21.1 to v1.13.0-alpha which may help with https://github.com/Azure/ip-masq-agent-v2/issues/25. Also attempting to fix broken CI lint: https://staticsint.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html

  • ip-masq-agent OOMKill'd in clusters with large amounts of iptables records

    ip-masq-agent OOMKill'd in clusters with large amounts of iptables records

    Repro

    • Create a default AKS cluster with kube-proxy in iptables mode
    • Create a deployment of busybox pods with 50 replicas kubectl create deployment busybox --image busybox --replicas 50
    • Run this gist to create 100 services each with 500 backend ports (50,000 backend port rules) https://gist.github.com/tyler-lloyd/5f6260b7ce6089fe944c35194cb841f7
    • Observe ip-masq-agent getting OOMKill'd

    It's unclear if ip-masq-agent is actually running out of memory or if it is getting killed by the host when trying to sync its iptables rules.

    Error seen

    F0701 15:14:36.026972       1 ip-masq-agent.go:156] the daemon encountered an error: error syncing masquerade rules: error creating chain "IP-MASQ-AGENT": exit status 4: Another app is currently holding the xtables lock; still 4s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock. Stopped waiting after 5s.
goroutine 1 [running]:
k8s.io/klog/v2.stacks(0x1)
	/go/pkg/mod/k8s.io/klog/[email protected]/klog.go:1140 +0x8a
k8s.io/klog/v2.(*loggingT).output(0xd40e40, 0x3, 0x0, 0xc0000a85b0, 0x0, {0xa918ee, 0x1}, 0xc0001bc140, 0x0)
	/go/pkg/mod/k8s.io/klog/[email protected]/klog.go:1088 +0x66f
k8s.io/klog/v2.(*loggingT).printf(0x60, 0x8ae02108, 0x0, {0x0, 0x0}, {0x9410c5, 0x23}, {0xc0001bc140, 0x1, 0x1})
	/go/pkg/mod/k8s.io/klog/[email protected]/klog.go:753 +0x1c5
k8s.io/klog/v2.Fatalf(...)
	/go/pkg/mod/k8s.io/klog/[email protected]/klog.go:1642
main.main()
	/src/cmd/ip-masq-agent-v2/ip-masq-agent.go:156 +0x408

goroutine 6 [chan receive]:
k8s.io/klog/v2.(*loggingT).flushDaemon(0x0)
	/go/pkg/mod/k8s.io/klog/[email protected]/klog.go:1283 +0x6a
created by k8s.io/klog/v2.init.0
	/go/pkg/mod/k8s.io/klog/[email protected]/klog.go:420 +0xfb
  • How can I set log level or reduce logs verbosity?

    How can I set log level or reduce logs verbosity?

    Hello, I'm running an aks cluster (with kubernetes v1.23.5) and I'd like to limit the logs generated by ip-masq-agent-v2 to errors. I've seen that I could use the -v flag and set it to 1 in the daemonset for example, but somehow the default value 2 is always restored.

    That's what I'm doing: kubectl edit daemonset azure-ip-masq-agent -n kube-system

    replace - --v=2 by - --v=1 save and exit

    pods are recreated and it looks good, but a few minutes later, logs are coming again. If I redo kubectl edit daemonset azure-ip-masq-agent -n kube-system, I can see the that -v is set to 2 again.

    Do you have any idea of what I can do there? Thanks

Related tags
DevOps Tools networking k8s
Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo

igo agent θ‹±ζ–‡ | δΈ­ζ–‡ Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo, and other capabilities may be added lat

Dec 22, 2021
Shoes-agent - Framework for myshoes provider using agent
 Shoes-agent - Framework for myshoes provider using agent

shoes-agent Framework for myshoes provider using agent. agent: agent for shoes-a

Jan 8, 2022
Coriolis-snapshot-agent - Coriolis snapshot agent leverages the blk-snap kernel module to create copy-on-write snapshots of block devices

Coriolis snapshot agent Coriolis snapshot agent leverages the blk-snap kernel mo

Feb 17, 2022
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)
 Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)

OmniSSHAgent About The chaotic windows ssh-agent has been integrated into one program. Chaos Map of SSH-Agent on Windows There are several different c

Dec 19, 2022
πŸ”₯ πŸ”₯ Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. πŸ”₯ πŸ”₯
πŸ”₯ πŸ”₯ Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. πŸ”₯ πŸ”₯

CVE-2021-44228 Log4J Vulnerability can be detected at runtime and attack paths can be visualized by ThreatMapper. Live demo of Log4J Vulnerability her

Jan 1, 2023
W5-test-go - Write functions to pass the tests with the cases need to pass

Week 5 Assignment In this assignment, we expect to you write functions to pass t

Feb 11, 2022
The server-side reproduction, similar the one of https://popcat.click, improve the performance and speed.

PopCat Echo The server-side reproduction, similar the one of https://popcat.click, improve the performance and speed. Docker Image The docker image is

Dec 15, 2022
twtr (pronounced "tweeter") is a drop-in replacement of the original twtxt client

twtr twtr (pronounced "tweeter") is a drop-in replacement of the original twtxt client, with some extensions and bonus features, so you can make the s

Jun 24, 2022
Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
 Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

Open Service Mesh (OSM) Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure,

Jan 2, 2023
Hubble - Network, Service & Security Observability for Kubernetes using eBPF
 Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Network, Service & Security Observability for Kubernetes What is Hubble? Getting Started Features Service Dependency Graph Metrics & Monitoring Flow V

Jan 2, 2023
Secure Distributed Thanos Deployment using an Observability Cluster

Atlas Status: BETA - I don't expect breaking changes, but still possible. Atlas, forced by Zeus to support the heavens and the skies on his shoulders.

Jun 11, 2022
Measure the overheads of various observability tools, especially profilers.

strong: WIP - NOT READY TO LOOK AT go-observability-bench Terminology Workload: A Go function performing a small task (< 100ms) like parsing a big blo

Apr 23, 2022
Tiny Go program to set Elgato Key Light options

Elgato Key Light Controller This is a tiny Go program to control the power, brightness, and temperature settings for Elgato Key Lights with known IP a

Feb 8, 2022
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy.
 Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy.

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy.

Jan 8, 2023
Shell script to download and set GO environmental paths to allow multiple versions.
 Shell script to download and set GO environmental paths to allow multiple versions.

gobrew gobrew lets you easily switch between multiple versions of go. It is based on rbenv and pyenv. Installation The automatic installer You can ins

Nov 3, 2022
The official container networking plugin for both OECP of Alibaba Cloud and SOFAStack of Ant Financial Co.

Rama What is Rama? Rama is an open source container networking solution, integrated with Kubernetes and used officially by following well-known PaaS p

Dec 29, 2022
Secure Edge Networking Based On Kubernetes And KubeEdge.
 Secure Edge Networking Based On Kubernetes And KubeEdge.

What is FabEdge FabEdge is an open source edge networking solution based on kubernetes and kubeedge. It solves the problems including complex network

Jan 3, 2023
PolarDB-X Operator is a Kubernetes extension that aims to create and manage PolarDB-X cluster on Kubernetes.

GalaxyKube -- PolarDB-X Operator PolarDB-X Operator is a Kubernetes extension that aims to create and manage PolarDB-X cluster on Kubernetes. It follo

Dec 19, 2022
βš” Personal Golang starter kit with an engineer research perspective, expressjs developer friendly, and aims for rapid app development.
 βš” Personal Golang starter kit with an engineer research perspective, expressjs developer friendly, and aims for rapid app development.

Goku (WIP; Author Only) βš” Personal Golang starter kit with an engineer research perspective, expressjs developer friendly, and aims for rapid app deve

Jan 6, 2022