Skip to content

media-streaming-mesh/msm-cni

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MSM CNI plugin

Any application pod that is MSM enabled will have all its traffic to/from the pods go through the MSM stub (sidecar proxy). The MSM CNI works as a chained plugin to the already installed CNIs (that provide network connectivity to the pods) and is responsible is to install all the rules without the need to give privileged access to the application pods.

The current implementation is configuring the iptables rules in the netns for the pods. MSM CNI runs as a DaemonSet on a Kubernetes cluster (runs on every node) and can be configured via a configuration file.

Usage

The easiest way to get started with the MSM CNI is by using the deployment example found under MSM CNI Helm chart

Implementation Details

Overview

  • MSM CNI Helm chart

    • msm-cni daemonset
    • msm-cni-config chained CNI configuration for MSM CNI
    • creates service-account msm-cni and ClusterRoleBinding to allow GET queries for pods from K8s API
  • installer container

    • creates kubeconfig for the service account the pod runs under
    • copies the binaries msm-cniand msm-iptables /opt/cni/bin
    • appends the MSM CNI plugin configuration to any already installed CNI configuration file
  • msm-cni

    • a CNI plugin executable
    • on pod add, decides if pod should redirect traffic to MSM stub (sidecar proxy) by installing iptables rules
  • msm-iptables

    • an executable responsible to set up iptables to redirect a list of ports to the MSM sidecar proxy

Troubleshooting

Collecting Logs

The CNI plugins are executed by threads in the kubelet process. The CNI plugins logs can be found under the kubelet process. An example to view the last 1000 lines of the kubelet process is:

$ journalctl -t kubelet -n 1000 | less

About

A chained CNI to inject Iptables rules in MSM enabled pods

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages