Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support auto direction #9

Open
msune opened this issue Oct 7, 2024 · 1 comment
Open

Support auto direction #9

msune opened this issue Oct 7, 2024 · 1 comment
Labels
docker Docker container feature

Comments

@msune
Copy link
Member

msune commented Oct 7, 2024

Add a new DIRECTION supported value, auto, and set it as default.

As opposed to ingress, egress and both, which attach ALL rules to the specified direction(s), auto would split and load funneling rules to EGRESS and unfunneling rules INGRESS, effectively being equivalent to two runs of sfunnel with the corresponding subset of rules.

This would allow turning this:

--- a/nginx.yaml
+++ b/nginx.yaml
@@ -1,21 +1,31 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: my-nginx-deployment
 spec:
   replicas: 4
   selector:
     matchLabels:
       app: my-nginx-app
   template:
     metadata:
       labels:
         app: my-nginx-app
     spec:
       containers:
+        - name: sfunnel-init
+          env:
+            - name: SFUNNEL_RULESET
+              value: ip tcp dport 80 sport 540 actions unfunnel tcp
+          image: ghcr.io/datahangar/sfunnel:0.0.11
+          securityContext:
+            privileged: false #Set to true for some public clouds (e.g. GKE standard)
+            capabilities:
+              add: [BPF, NET_ADMIN, SYS_ADMIN]
+          volumeMounts:
+            - name: bpffs
+              mountPath: /sys/fs/bpf
+        - name: sfunnel-init-egress
+          env:
+            - name: SFUNNEL_RULESET
+              value: ip tcp sport 8080 actions funnel tcp dport 540 sport 80
+            - name: DIRECTION
+              value: egress
+          image: ghcr.io/datahangar/sfunnel:0.0.11
+          securityContext:
+            privileged: false #Set to true for some public clouds (e.g. GKE standard)
+            capabilities:
+              add: [BPF, NET_ADMIN, SYS_ADMIN]
+          volumeMounts:
+            - name: bpffs
+              mountPath: /sys/fs/bpf

into this:

--- a/nginx.yaml
+++ b/nginx.yaml
@@ -1,21 +1,31 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: my-nginx-deployment
 spec:
   replicas: 4
   selector:
     matchLabels:
       app: my-nginx-app
   template:
     metadata:
       labels:
         app: my-nginx-app
     spec:
       containers:
+        - name: sfunnel-init
+          env:
+            - name: SFUNNEL_RULESET
+              value: ip tcp dport 80 sport 540 actions unfunnel tcp; ip tcp dport 80 sport 540 actions unfunnel tcp
+          image: ghcr.io/datahangar/sfunnel:0.0.11
+          securityContext:
+            privileged: false #Set to true for some public clouds (e.g. GKE standard)
+            capabilities:
+              add: [BPF, NET_ADMIN, SYS_ADMIN]
+          volumeMounts:
+            - name: bpffs
+              mountPath: /sys/fs/bpf
@msune msune added feature docker Docker container labels Oct 7, 2024
@msune
Copy link
Member Author

msune commented Oct 7, 2024

This in conjunction with #3 in auto mode would properly cover most of the use-cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docker Docker container feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@msune