096b090caf
* cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets
This commit is first part of the work to allow running multiple
replicas of the Kubernetes operator egress proxies per tailnet service +
to allow exposing multiple tailnet services via each proxy replica.
This expands the existing iptables/nftables-based proxy configuration
mechanism.
A proxy can now be configured to route to one or more tailnet targets
via a (mounted) config file that, for each tailnet target, specifies:
- the target's tailnet IP or FQDN
- mappings of container ports to which cluster workloads will send traffic to
tailnet target ports where the traffic should be forwarded.
Example configfile contents:
{
"some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}}
}
A proxy that is configured with this config file will configure firewall rules
to route cluster traffic to the tailnet targets. It will then watch the config file
for updates as well as monitor relevant netmap updates and reconfigure firewall
as needed.
This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update
the firewall rules without needing to restart the proxy Pod as well as to make
it easier to debug/understand the rules:
- for iptables, each portmapping is a DNAT rule with a comment pointing
at the 'service',i.e:
-A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80
Additionally there is a SNAT rule for each tailnet target, to mask the source address.
- for nftables, a separate prerouting chain is created for each tailnet target
and all the portmapping rules are placed in that chain. This makes it easier
to look up rules and delete services when no longer needed.
(nftables allows hooking a custom chain to a prerouting hook, so no extra work
is needed to ensure that the rules in the service chains are evaluated).
The next steps will be to get the Kubernetes Operator to generate
the configfile and ensure it is mounted to the relevant proxy nodes.
Updates tailscale/tailscale#13406
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
||
|---|---|---|
| .bencher | ||
| .github | ||
| appc | ||
| atomicfile | ||
| chirp | ||
| client | ||
| clientupdate | ||
| cmd | ||
| control | ||
| derp | ||
| disco | ||
| docs | ||
| doctor | ||
| drive | ||
| envknob | ||
| gokrazy | ||
| health | ||
| hostinfo | ||
| internal | ||
| ipn | ||
| jsondb | ||
| k8s-operator | ||
| kube | ||
| licenses | ||
| log | ||
| logpolicy | ||
| logtail | ||
| metrics | ||
| net | ||
| omit | ||
| packages/deb | ||
| paths | ||
| portlist | ||
| posture | ||
| prober | ||
| proxymap | ||
| release | ||
| safesocket | ||
| safeweb | ||
| scripts | ||
| sessionrecording | ||
| smallzstd | ||
| ssh/tailssh | ||
| syncs | ||
| tailcfg | ||
| taildrop | ||
| tempfork | ||
| tka | ||
| tool | ||
| tsconst | ||
| tsd | ||
| tsnet | ||
| tstest | ||
| tstime | ||
| tsweb | ||
| types | ||
| util | ||
| version | ||
| wf | ||
| wgengine | ||
| words | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| ALPINE.txt | ||
| AUTHORS | ||
| CODEOWNERS | ||
| CODE_OF_CONDUCT.md | ||
| Dockerfile | ||
| Dockerfile.base | ||
| LICENSE | ||
| Makefile | ||
| PATENTS | ||
| README.md | ||
| SECURITY.md | ||
| VERSION.txt | ||
| api.md | ||
| build_dist.sh | ||
| build_docker.sh | ||
| flake.lock | ||
| flake.nix | ||
| go.mod | ||
| go.mod.sri | ||
| go.sum | ||
| go.toolchain.branch | ||
| go.toolchain.rev | ||
| gomod_test.go | ||
| header.txt | ||
| pkgdoc_test.go | ||
| pull-toolchain.sh | ||
| shell.nix | ||
| staticcheck.conf | ||
| update-flake.sh | ||
| version-embed.go | ||
| version_tailscale_test.go | ||
| version_test.go | ||
README.md
Tailscale
Private WireGuard® networks made easy
Overview
This repository contains the majority of Tailscale's open source code.
Notably, it includes the tailscaled daemon and
the tailscale CLI tool. The tailscaled daemon runs on Linux, Windows,
macOS, and to varying degrees
on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's
code, but this repo doesn't contain the mobile GUI code.
Other Tailscale repos of note:
- the Android app is at https://github.com/tailscale/tailscale-android
- the Synology package is at https://github.com/tailscale/tailscale-synology
- the QNAP package is at https://github.com/tailscale/tailscale-qpkg
- the Chocolatey packaging is at https://github.com/tailscale/tailscale-chocolatey
For background on which parts of Tailscale are open source and why, see https://tailscale.com/opensource/.
Using
We serve packages for a variety of distros and platforms at https://pkgs.tailscale.com.
Other clients
The macOS, iOS, and Windows clients use the code in this repository but additionally include small GUI wrappers. The GUI wrappers on non-open source platforms are themselves not open source.
Building
We always require the latest Go release, currently Go 1.23. (While we build releases with our Go fork, its use is not required.)
go install tailscale.com/cmd/tailscale{,d}
If you're packaging Tailscale for distribution, use build_dist.sh
instead, to burn commit IDs and version info into the binaries:
./build_dist.sh tailscale.com/cmd/tailscale
./build_dist.sh tailscale.com/cmd/tailscaled
If your distro has conventions that preclude the use of
build_dist.sh, please do the equivalent of what it does in your
distro's way, so that bug reports contain useful version information.
Bugs
Please file any issues about this code or the hosted service on the issue tracker.
Contributing
PRs welcome! But please file bugs. Commit messages should reference bugs.
We require Developer Certificate of
Origin
Signed-off-by lines in commits.
See git log for our commit message style. It's basically the same as
Go's style.
About Us
Tailscale is primarily developed by the people at https://github.com/orgs/tailscale/people. For other contributors, see:
- https://github.com/tailscale/tailscale/graphs/contributors
- https://github.com/tailscale/tailscale-android/graphs/contributors
Legal
WireGuard is a registered trademark of Jason A. Donenfeld.