mirror of https://github.com/linkerd/linkerd2.git
79 lines
3.0 KiB
Go
79 lines
3.0 KiB
Go
package cmd
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/runconduit/conduit/proxy-init/iptables"
|
|
log "github.com/sirupsen/logrus"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
var incomingProxyPort int
|
|
var outgoingProxyPort int
|
|
var proxyUserId int
|
|
var portsToRedirect []int
|
|
var inboundPortsToIgnore []int
|
|
var outboundPortsToIgnore []int
|
|
var simulateOnly bool
|
|
|
|
var RootCmd = &cobra.Command{
|
|
Use: "proxy-init",
|
|
Short: "Adds a Kubernetes pod to join the Conduit Service Mesh",
|
|
Long: `proxy-init Adds a Kubernetes pod to join the Conduit Service Mesh.
|
|
|
|
Find more information at https://conduit.io/.`,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
err := iptables.ConfigureFirewall(buildFirewallConfiguration())
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
},
|
|
}
|
|
|
|
func Execute() {
|
|
if err := RootCmd.Execute(); err != nil {
|
|
fmt.Println(err)
|
|
os.Exit(-1)
|
|
}
|
|
}
|
|
|
|
func init() {
|
|
RootCmd.PersistentFlags().IntVarP(&incomingProxyPort, "incoming-proxy-port", "p", -1, "Port to redirect incoming traffic")
|
|
RootCmd.PersistentFlags().IntVarP(&outgoingProxyPort, "outgoing-proxy-port", "o", -1, "Port to redirect outgoing traffic")
|
|
RootCmd.PersistentFlags().BoolVar(&simulateOnly, "simulate", false, "Don't execute any command, just print what would be executed")
|
|
RootCmd.PersistentFlags().IntSliceVarP(&portsToRedirect, "ports-to-redirect", "r", make([]int, 0), "Port to redirect to proxy, if no port is specified then ALL ports are redirected")
|
|
RootCmd.PersistentFlags().IntSliceVar(&inboundPortsToIgnore, "inbound-ports-to-ignore", make([]int, 0), "Inbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
|
|
RootCmd.PersistentFlags().IntSliceVar(&outboundPortsToIgnore, "outbound-ports-to-ignore", make([]int, 0), "Outbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
|
|
RootCmd.PersistentFlags().IntVarP(&proxyUserId, "proxy-uid", "u", -1, "User ID that the proxy is running under. Any traffic coming from this user will be ignored to avoid infinite redirection loops.")
|
|
}
|
|
|
|
func buildFirewallConfiguration() iptables.FirewallConfiguration {
|
|
if incomingProxyPort < 0 || incomingProxyPort > 65535 {
|
|
fmt.Println("--incoming-proxy-port must be a valid TCP port number")
|
|
os.Exit(1)
|
|
}
|
|
|
|
if outgoingProxyPort < 0 || incomingProxyPort > 65535 {
|
|
fmt.Println("--outgoing-proxy-port must be a valid TCP port number")
|
|
os.Exit(1)
|
|
}
|
|
|
|
firewallConfiguration := iptables.FirewallConfiguration{}
|
|
|
|
if len(portsToRedirect) > 0 {
|
|
firewallConfiguration.Mode = iptables.RedirectListedMode
|
|
} else {
|
|
firewallConfiguration.Mode = iptables.RedirectAllMode
|
|
}
|
|
|
|
firewallConfiguration.PortsToRedirectInbound = portsToRedirect
|
|
firewallConfiguration.InboundPortsToIgnore = inboundPortsToIgnore
|
|
firewallConfiguration.OutboundPortsToIgnore = outboundPortsToIgnore
|
|
firewallConfiguration.ProxyInboundPort = incomingProxyPort
|
|
firewallConfiguration.ProxyOutgoingPort = outgoingProxyPort
|
|
firewallConfiguration.ProxyUid = proxyUserId
|
|
firewallConfiguration.SimulateOnly = simulateOnly
|
|
return firewallConfiguration
|
|
}
|