Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

enhancement: add tunnel server internal service in order to prevent x-tunnel-server-svc attached SLB to listen unsecure port #284

Merged
merged 1 commit into from
Apr 28, 2021
Merged

enhancement: add tunnel server internal service in order to prevent x-tunnel-server-svc attached SLB to listen unsecure port #284

merged 1 commit into from
Apr 28, 2021

Conversation

rambohe-ch
Copy link
Member

@rambohe-ch rambohe-ch commented Apr 27, 2021
edited
Loading

Ⅰ. Describe what this PR does

  • background:

    1. In order to deploy promtheus(also metrics-server) and yurt-tunnel-server on different cloud nodes, prometheus need to use {hostname:port} (take port=9100 as a example) to access edge node through yurt-tunnel-server and yurt-tunnel-agent and resolve hostname to service ip of yurt-tunnel-server. on the same time, we need to add 9100:10264 mapping info in yurt-tunnel-server service for redirect port.
    2. the original yurt-tunnel-server service(x-tunnel-server-svc) is used by yurt-tunnel-agent to connect yurt-tunnel-server. and x-tunnel-server-svc service may be configured as NodePort type or LoadBalancer type for public network access.
    3. If x-tunnel-server-svc service type is LoadBalancer, the proxy ports in x-tunnel-service-svc service will be listened by corresponding SLB(in public cloud. but listen internal port(9100) on public network will cause security risks.

  • solution:
    we can add a new service(type=ClusterIP) named x-tunnel-server-internal-svc for yurt-tunnel-server, so x-tunnel-server-svc service is used for public network access, and newly added service is used for internal component(like prometheus/metrics server) access. and internal port mapping(like above 9100:10264) will only be added in x-tunnel-server-internal-svc svc. so security risk can be solved.

Ⅱ. Does this pull request fix one issue?

Ⅲ. List the added test cases (unit test/integration test) if any, please explain if no tests are needed.

Ⅳ. Describe how to verify it

make all
and make sure the yurt-tunnel can work with dns

Ⅴ. Special notes for reviews

@rambohe-ch
enhancement: add tunnel server internal service in order to prevent x…
6f51694 
…-tunnel-server-svc

attached SLB to listen unsecure port.
SataQiu
SataQiu reviewed Apr 28, 2021
View reviewed changes
Copy link
Member

@SataQiu SataQiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
defer @Fei-Guo for more reviews

@Fei-Guo
Copy link
Member

Fei-Guo commented Apr 28, 2021
edited
Loading

The major use case of keeping the x-tunnel-server-svc is to allow the tunnel-agent (sit in edge node) to find the tunnel-server (sit in cloud) through the public IP (i.e., the node public IP) + nodeport. It seems that this change does not incur user experience changes.

LGTM.

@Fei-Guo Fei-Guo merged commit ebca595 into openyurtio:master Apr 28, 2021
@rambohe-ch rambohe-ch deleted the add-internal-tunnel-svc branch May 27, 2021 06:26
MrGirl pushed a commit to MrGirl/openyurt that referenced this pull request Mar 29, 2022
@rambohe-ch
enhancement: add tunnel server internal service in order to prevent x…
6a6f342 
…-tunnel-server-svc (openyurtio#284)

attached SLB to listen unsecure port.
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@SataQiu SataQiu SataQiu left review comments

@Fei-Guo Fei-Guo Fei-Guo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rambohe-ch @Fei-Guo @SataQiu