Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(tproxy): restructure and expand transparent proxy documentation #2064

Open
wants to merge 55 commits into
base: master
Choose a base branch
from

Conversation

bartsmykla
Copy link
Contributor

Transparent proxy docs are now consolidated under "Using Kuma / Service Discovery & Networking / Transparent Proxy". The former "Kuma in Production" content is now "Introduction" in this group, and "Using Kuma / Transparent Proxying" is now "Technical Overview". Reachable Services, Reachable Backends, installation, and configuration are split into separate pages.

Added a Transparent Proxy Configuration Reference.


Did you sign your commit? Instructions: 👍

Have you read Contributing guidelines?: 👍

Transparent proxy docs are now consolidated under
 Using Kuma / Service Discovery & Networking / Transparent Proxy.
The former "Kuma in Production" content is now "Introduction" in this
group, and "Using Kuma / Transparent Proxying" is now "Technical
Overview". Reachable Services, Reachable Backends, installation, and
configuration are split into separate pages.

Added a Transparent Proxy Configuration Reference.

Signed-off-by: Bart Smykla <[email protected]>
Signed-off-by: Bart Smykla <[email protected]>
@bartsmykla bartsmykla requested a review from Automaat November 5, 2024 08:30
@bartsmykla bartsmykla requested a review from a team as a code owner November 5, 2024 08:30
@bartsmykla bartsmykla requested review from lukidzi and removed request for a team November 5, 2024 08:30
Copy link

netlify bot commented Nov 5, 2024

Deploy Preview for kuma ready!

Name Link
🔨 Latest commit fb9b9b1
🔍 Latest deploy log https://app.netlify.com/sites/kuma/deploys/674d422594f84600087185f3
😎 Deploy Preview https://deploy-preview-2064--kuma.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse
1 paths audited
Performance: 82 (🔴 down 9 from production)
Accessibility: 90 (no change from production)
Best Practices: 100 (no change from production)
SEO: 92 (no change from production)
PWA: 80 (no change from production)
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify site configuration.

Signed-off-by: Bart Smykla <[email protected]>
Signed-off-by: Bart Smykla <[email protected]>

A transparent proxy is a type of server that can intercept network traffic to and from a service without changes to the client application code. In the case of {{ Kuma }} it is used to capture traffic and redirect it to `kuma-dp` so Mesh policies can be applied.

To accomplish this, {{ Kuma }} utilizes [`iptables`](https://linux.die.net/man/8/iptables) and offers additional, experimental support for [`eBPF`]({{ docs }}/production/dp-config/cni/#merbridge-cni-with-ebpf). The examples provided in this section will concentrate on iptables to clearly illustrate the point.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To accomplish this, {{ Kuma }} utilizes [`iptables`](https://linux.die.net/man/8/iptables) and offers additional, experimental support for [`eBPF`]({{ docs }}/production/dp-config/cni/#merbridge-cni-with-ebpf). The examples provided in this section will concentrate on iptables to clearly illustrate the point.
To accomplish this, {{ Kuma }} utilizes [iptables](https://linux.die.net/man/8/iptables) and offers additional, experimental support for [eBPF](https://ebpf.io/). The examples provided in this section will concentrate on iptables to clearly illustrate the point.

@@ -173,8 +173,14 @@ Vuejs
websockets?
wireframes?
workspace
yaml
yaml|YAML
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm off the opinion of being opiniated and when both are accepted only tolerate one.

UIDs?
use_original_dst
orin
ConfigMap
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please respect the lexico order on this file

Copy link
Contributor

@lahabana lahabana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is VERY VERY good! I have a lot of comments but it's also because there's a lot of content here :)


A transparent proxy is a server that intercepts network traffic going to and from a service without requiring any changes to the application code. In {{ site.mesh_product_name}}, it captures this traffic and routes it to the data plane proxy, allowing policies to be applied.

For more details, see the [Transparent Proxy](/docs/{{ page.version}}/{% if_version lte:2.8.x inline:true %}production/dp-config/transparent-proxying/{% endif_version %}{% if_version gte:2.9.x inline:true %}/networking/transparent-proxy/introduction/{% endif_version %}) documentation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a subsection in the data plane entry? I feel like you'd read dp, inbound, outbound and then transparent proxy WDYT?


## Transparent proxy

A transparent proxy is a server that intercepts network traffic going to and from a service without requiring any changes to the application code. In {{ site.mesh_product_name}}, it captures this traffic and routes it to the data plane proxy, allowing policies to be applied.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a server?!

Maybe you should step back a little and approach from the user point view something like:

Data planes are usually configured in a setup that is called `transparent proxy`. In this case, both inbound and outbound traffic will be transparently routed through the data plane proxy. This enables users to use {{ site.mesh_product_name }} without any change to the data plane app.

Universal mode is best combined with {% if_version lte:2.1.x %}[transparent proxy](/docs/{{ page.release }}/networking/transparent-proxying){% endif_version%}{% if_version gte:2.2.x %}[transparent proxy](/docs/{{ page.release }}/production/dp-config/transparent-proxying/){% endif_version%}. For backward compatibility only, you can consume an external service from within the mesh by filling the proper `outbound` section of the relevant data plane resource:
{% capture tproxy-link %}/docs/{{ page.release }}/{% if_version lte:2.1.x %}networking/transparent-proxying/{% endif_version%}{% if_version gte:2.2.x lte:2.8.x %}production/dp-config/transparent-proxying/{% endif_version%}{% if_version gte:2.9.x %}networking/transparent-proxy/introduction/{% endif_version%}{% endcapture %}

Universal mode is best combined with [transparent proxy]({{ tproxy-link }}). For backward compatibility only, you can consume an external service from within the mesh by filling the proper `outbound` section of the relevant data plane resource:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the story with MES?

@@ -5,7 +5,7 @@ content_type: how-to

In order for traffic to flow through the {{site.mesh_product_name}} data plane, all inbound and
outbound traffic for a service needs to go through its data plane proxy.
The recommended way of accomplishing this is via {% if_version lte:2.1.x %}[transparent proxying](/docs/{{ page.release }}/networking/transparent-proxying){% endif_version %}{% if_version gte:2.2.x %}[transparent proxying](/docs/{{ page.release }}/production/dp-config/transparent-proxying/){% endif_version %}.
The recommended way of accomplishing this is via [transparent proxying](/docs/{{ page.release }}/{% if_version lte:2.1.x %}networking/transparent-proxying/{% endif_version %}{% if_version gte:2.2.x lte:2.8.x %}production/dp-config/transparent-proxying/{% endif_version %}{% if_version gte:2.9.x %}networking/transparent-proxy/introduction/{% endif_version %}).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the CNI page just be in transparent proxy?

By default, with the transparent proxy enabled, each data plane proxy follows all other proxies in the mesh. In large meshes, a data plane proxy usually connects to only a few services. Defining this list of reachable services can significantly improve {{site.mesh_product_name}}'s performance. {% if_version lte:2.8.x %}Benefits include:
* The control plane generates a much smaller XDS configuration (fewer clusters/listeners), saving CPU and memory.
* Smaller configurations reduce network bandwidth.
* Envoy manages fewer clusters/listeners, reducing statistics and memory usage.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth doing:

  • Reduce CPU/Memory usage on the CP: As the configuration is smaller
  • Lower network bandwidth: Because configuration is smaller and that it will change less often
  • Reduce CPU/Memory usage on the DP: As there are less clusters/listeners.

People care about the effect more than the reason for it.


Reachable Backends provides similar functionality to [Reachable Services]({{ docs }}/networking/transparent-proxy/reachable-services/), but it applies to resources such as [MeshService]({{ docs }}/networking/meshservice), [MeshExternalService]({{ docs }}/networking/meshexternalservice), and [MeshMultiZoneService]({{ docs }}/networking/meshmultizoneservice).

By default, each data plane proxy tracks all other data planes in the mesh, which can impact performance and use more resources. Configuring `reachableBackends` allows you to specify only the services your application actually needs to communicate with, improving efficiency.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
By default, each data plane proxy tracks all other data planes in the mesh, which can impact performance and use more resources. Configuring `reachableBackends` allows you to specify only the services your application actually needs to communicate with, improving efficiency.
By default, each data plane proxy can access all other services in the mesh. This impacts performance and resources consumption. With `reachableBackends` you specify a subset of service services your application communicates with, which enables {{ Kuma }} to trim the configuration and be more efficient.

- **MeshExternalService**
- **MeshMultiZoneService**
- **name**: Name of the resource.
- **namespace**: (Kubernetes only) Namespace where the resource is located. Required if using `namespace`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get this. namespace is required when using namespace?

name: demo-app
namespace: kuma-demo
annotations:
kuma.io/reachable-backends: ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be easier to understand with refs: [] ?

refs:
- kind: MeshService
labels:
k8s.kuma.io/namespace: kuma-demo
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There can be a universal equivalent to this right?

A universal workload that only talks to stuff in a kuberenetes namespace (in another zone)

- **MeshMultiZoneService**
- **name**: Name of the resource.
- **namespace**: (Kubernetes only) Namespace where the resource is located. Required if using `namespace`.
- **labels**: A list of labels to match resources. You can define either `labels` or `name`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's worth mentioning here that when we use this it matches ALL the workloads that have these labels. I think that's how reachableBackends is so much better than reachableServices

Signed-off-by: Bart Smykla <[email protected]>
Signed-off-by: Bart Smykla <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants