You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tailscale/util
Irbe Krumina 096b090caf
cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531)
* cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets

This commit is first part of the work to allow running multiple
replicas of the Kubernetes operator egress proxies per tailnet service +
to allow exposing multiple tailnet services via each proxy replica.

This expands the existing iptables/nftables-based proxy configuration
mechanism.

A proxy can now be configured to route to one or more tailnet targets
via a (mounted) config file that, for each tailnet target, specifies:
- the target's tailnet IP or FQDN
- mappings of container ports to which cluster workloads will send traffic to
tailnet target ports where the traffic should be forwarded.

Example configfile contents:
{
  "some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}}
}

A proxy that is configured with this config file will configure firewall rules
to route cluster traffic to the tailnet targets. It will then watch the config file
for updates as well as monitor relevant netmap updates and reconfigure firewall
as needed.

This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update
the firewall rules without needing to restart the proxy Pod as well as to make
it easier to debug/understand the rules:

- for iptables, each portmapping is a DNAT rule with a comment pointing
at the 'service',i.e:

-A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80
Additionally there is a SNAT rule for each tailnet target, to mask the source address.

- for nftables, a separate prerouting chain is created for each tailnet target
and all the portmapping rules are placed in that chain. This makes it easier
to look up rules and delete services when no longer needed.
(nftables allows hooking a custom chain to a prerouting hook, so no extra work
is needed to ensure that the rules in the service chains are evaluated).

The next steps will be to get the Kubernetes Operator to generate
the configfile and ensure it is mounted to the relevant proxy nodes.

Updates tailscale/tailscale#13406

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2 months ago
..
cache util/cache: fix missing interface methods (#11275) 9 months ago
cibuild
clientmetric
cloudenv all: use math/rand/v2 more 6 months ago
cmpver util/cmpver: add Less/LessEq helper funcs 9 months ago
codegen cmd/cloner, cmd/viewer, util/codegen: add support for aliases of cloneable types 3 months ago
cstruct all: use Go 1.22 range-over-int 7 months ago
ctxkey all: use reflect.TypeFor now available in Go 1.22 (#11078) 10 months ago
deephash util/deephash: fix test regression on 32-bit 5 months ago
dirwalk
dnsname all: use Go 1.22 range-over-int 7 months ago
execqueue control/controlclient,util/execqueue: extract execqueue into a package 10 months ago
expvarx all: use Go 1.22 range-over-int 7 months ago
fastuuid all: use Go 1.22 range-over-int 7 months ago
goroutines
groupmember util/groupmember: fail earlier if group doesn't exist, use slices.Contains 1 year ago
hashx all: use Go 1.22 range-over-int 7 months ago
httphdr util/httphdr: add new package for parsing HTTP headers (#9797) 1 year ago
httpm util/httpm: don't run test if .git doesn't exist 1 year ago
jsonutil all: use Go 1.22 range-over-int 7 months ago
limiter all: add test for package comments, fix, add comments as needed 4 months ago
lineread
linuxfw cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531) 2 months ago
lru util/lru: add Clear method 6 months ago
mak
multierr all: use Go 1.22 range-over-int 7 months ago
must
nocasemaps all: use Go 1.22 range-over-int 7 months ago
osdiag all: add test for package comments, fix, add comments as needed 4 months ago
osshare all: add test for package comments, fix, add comments as needed 4 months ago
osuser util/osuser: turn wasm check into a const expression 4 months ago
pidowner all: use Go 1.22 range-over-int 7 months ago
pool util/pool: add package for storing and using a pool of items 6 months ago
precompress
progresstracking ipn/localapi: add support for multipart POST to file-put 8 months ago
quarantine
race all: use Go 1.22 range-over-int 7 months ago
racebuild
rands wgengine/magicsock: use math/rands/v2 6 months ago
reload all: use math/rand/v2 more 6 months ago
ringbuffer all: use Go 1.22 range-over-int 7 months ago
set util/set: add Of variant of SetOf that takes variadic parameter 7 months ago
singleflight util/singleflight: add DoChanContext 5 months ago
slicesx util/slicesx: add FirstElementEqual and LastElementEqual 2 months ago
syspolicy control/controlclient,posture,util/syspolicy: use predefined syspolicy keys instead of string literals 3 months ago
sysresources
systemd
testenv util/testenv: add new package to hold InTest 1 year ago
topk all: use Go 1.22 range-over-int 7 months ago
truncate util/truncate: support []byte as well (#11614) 8 months ago
uniq all: use Go 1.22 range-over-int 7 months ago
usermetric util/usermetrics: make usermetrics non-global 2 months ago
vizerror
winutil util/winutil: add GetRegUserString/SetRegUserString accessors for storage and retrieval of string values in HKEY_CURRENT_USER 3 months ago
zstdframe all: use Go 1.22 range-over-int 7 months ago