Skip to main content
Version: latest

Proxy

Description

The proxy allows targets (e.g. TCP application) to be connected to multiple network service instances (e.g. stateless-lb) via a single network interface.

To create the full mesh between the proxy and the network service instances, the proxy uses the NSM API to monitor the NSEs, and requests the connection to each of them. For the targets, the proxy acts as a network service with the same network service name + proxy as prefix: proxy.<conduit-name>.<trench-name>.<namespace>.

When started, the proxy requests a subnet from the IPAM Service, so each proxy instance will own a unique subnet and will allocate IPs of targets and Network service instances based on it. Since each proxy has a unique subnet, the network service instances will easily find the correct path to the target via the default routes.

From the network service instances side, the proxy acts as a bridge, so the network service instances can access each individual target via their IPs. From the target side, the proxy acts as a router/gateway, the outgoing traffic of the target. Since it acts as a router/gateway, the proxy is creation source based routes to distribute the outgoing traffic among the network service instances.

Note: Currently the proxy support only 1 conduit.

Proxy

Configuration

https://github.com/Nordix/Meridio/blob/master/cmd/proxy/internal/config/config.go

Environment variableTypeDescriptionDefault
NSM_NAMEstringName of the podproxy
NSM_SERVICE_NAMEstringName of the Network Serviceproxy
NSM_CONNECT_TOurl.URLurl to connect to NSMunix:///var/lib/networkservicemesh/nsm.io.sock
NSM_DIAL_TIMEOUTtime.Durationtimeout to dial NSMgr5s
NSM_REQUEST_TIMEOUTtime.Durationtimeout to request NSE15s
NSM_MAX_TOKEN_LIFETIMEtime.Durationmaximum lifetime of tokens24h
NSM_IPAM_SERVICEstringIP (or domain) and port of the IPAM Serviceipam-service:7777
NSM_HOSTstringHost name the proxy is running on
NSM_NETWORK_SERVICE_NAMEstringName of the network service the proxy request the connectionload-balancer
NSM_NAMESPACEstringNamespace the pod is running ondefault
NSM_TRENCHstringTrench the pod is running ondefault
NSM_CONDUITstringName of the conduitload-balancer
NSM_NSP_SERVICE_NAMEstringIP (or domain) of the NSP Servicensp-service
NSM_NSP_SERVICE_PORTintport of the NSP Service7778
NSM_IP_FAMILYstringip familydualstack
NSM_LOG_LEVELstringLog levelDEBUG
NSM_MTUintConduit MTU1500
NSM_GRPC_KEEPALIVE_TIMEtime.DurationgRPC keepalive timeout30s
NSM_GRPC_PROBE_RPC_TIMEOUTtime.DurationRPC timeout of internal gRPC health probe1s
NSM_GRPC_MAX_BACKOFFtime.DurationUpper bound on gRPC connection backoff delay5s
NSM_IP_RELEASE_DELAYtime.Durationdelay releasing IP address of NSM connection20s

Command Line

CommandActionDefault
--helpDisplay a help describing
--versionDisplay the version
--debugPrints meridio-version, unix-time, network-interfaces, rules, route, neighbors, system information, and environment-variables in a json format

Communication

Here are all components the proxy is communicating with:

ComponentSecuredMethodDescription
SpireTBDUnix SocketObtain and validate SVIDs
NSMyes (mTLS)Unix SocketRequest/Close connections. Register NSE.
NSP Serviceyes (mTLS)TCPWatch configuration
IPAM Serviceyes (mTLS)TCPAllocate/Release IPs

An overview of the communications between all components is available here.

Health check

The health check is provided by the GRPC Health Checking Protocol. The status returned can be UNKNOWN, SERVING, NOT_SERVING or SERVICE_UNKNOWN.

ServiceDescription
LivenessA unique service to be used by liveness probe to return status, can aggregate other lesser services
ReadinessA unique service to be used by readiness probe to return status, can aggregate other lesser services
ServiceProbeDescription
IPAMCliReadinessMonitor status of the connection to the IPAM service
NSPCliReadinessMonitor status of the connection to the NSP service
NSMEndpointReadiness,LivenessMonitor status of the NSE
EgressReadinessCheck if at least 1 stateless-lb-frontend is connected

Privileges

To work properly, here are the privileges required by the proxy:

NameDescription
Sysctl: net.ipv4.conf.all.forwarding=1Enable IP forwarding
Sysctl: net.ipv6.conf.all.forwarding=1Enable IP forwarding
Sysctl: net.ipv6.conf.all.accept_dad=0Disable DAD (Duplicate Address Detection)
Sysctl: net.ipv4.fib_multipath_hash_policy=1To use Layer 4 hash policy for ECMP on IPv4
Sysctl: net.ipv6.fib_multipath_hash_policy=1To use Layer 4 hash policy for ECMP on IPv6
Sysctl: net.ipv4.conf.all.rp_filter=0Allow packets to have a source IPv4 address which does not correspond to any routing destination address.
Sysctl: net.ipv4.conf.default.rp_filter=0Allow packets to have a source IPv6 address which does not correspond to any routing destination address.
NET_ADMINThe proxy creates IP rules, IP routes, bridge interfaces and modifies NSM interfaces to link them to bridge interfaces.