diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..c03622ec568e690748955f8e70512042e225ab6b --- /dev/null +++ b/Dockerfile @@ -0,0 +1,24 @@ +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 +ARG BASE_TAG=8.2 + +FROM openpolicyagent/proxy_init:v5 as base + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +LABEL org.opencontainers.image.title="openpolicyagent/proxy_init" \ + org.opencontainers.image.description="The proxy-init container installs iptables rules to redirect all container traffic through the Envoy proxy sidecar." \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.url="https://github.com/open-policy-agent/proxy_init" \ + org.opencontainers.image.version="v5" \ + maintainer="cht@dsop.io" + +RUN dnf upgrade -y && \ + dnf install -y iptables && \ + dnf clean all && \ + rm -rf /var/cache/dnf + +COPY scripts/proxy_init.sh /usr/local/bin/proxy_init.sh +RUN chmod 755 /usr/local/bin/proxy_init.sh + +ENTRYPOINT ["/usr/local/bin/proxy_init.sh"] diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000000000000000000000000000000000000..cfc40f46f7ddf16b278175c9238a1ddb422bc1d7 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: "v5") diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..4b67f2b583cf555a24dc0b8113218ecef3dc1a2c --- /dev/null +++ b/LICENSE @@ -0,0 +1,209 @@ +https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, +and distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by +the copyright owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all +other entities that control, are controlled by, or are under common +control with that entity. For the purposes of this definition, +"control" means (i) the power, direct or indirect, to cause the +direction or management of such entity, whether by contract or +otherwise, or (ii) ownership of fifty percent (50%) or more of the +outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity +exercising permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, +including but not limited to software source code, documentation +source, and configuration files. + +"Object" form shall mean any form resulting from mechanical +transformation or translation of a Source form, including but +not limited to compiled object code, generated documentation, +and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or +Object form, made available under the License, as indicated by a +copyright notice that is included in or attached to the work +(an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object +form, that is based on (or derived from) the Work and for which the +editorial revisions, annotations, elaborations, or other modifications +represent, as a whole, an original work of authorship. For the purposes +of this License, Derivative Works shall not include works that remain +separable from, or merely link (or bind by name) to the interfaces of, +the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including +the original version of the Work and any modifications or additions +to that Work or Derivative Works thereof, that is intentionally +submitted to Licensor for inclusion in the Work by the copyright owner +or by an individual or Legal Entity authorized to submit on behalf of +the copyright owner. For the purposes of this definition, "submitted" +means any form of electronic, verbal, or written communication sent +to the Licensor or its representatives, including but not limited to +communication on electronic mailing lists, source code control systems, +and issue tracking systems that are managed by, or on behalf of, the +Licensor for the purpose of discussing and improving the Work, but +excluding communication that is conspicuously marked or otherwise +designated in writing by the copyright owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity +on behalf of whom a Contribution has been received by Licensor and +subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of +this License, each Contributor hereby grants to You a perpetual, +worldwide, non-exclusive, no-charge, royalty-free, irrevocable +copyright license to reproduce, prepare Derivative Works of, +publicly display, publicly perform, sublicense, and distribute the +Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of +this License, each Contributor hereby grants to You a perpetual, +worldwide, non-exclusive, no-charge, royalty-free, irrevocable +(except as stated in this section) patent license to make, have made, +use, offer to sell, sell, import, and otherwise transfer the Work, +where such license applies only to those patent claims licensable +by such Contributor that are necessarily infringed by their +Contribution(s) alone or by combination of their Contribution(s) +with the Work to which such Contribution(s) was submitted. If You +institute patent litigation against any entity (including a +cross-claim or counterclaim in a lawsuit) alleging that the Work +or a Contribution incorporated within the Work constitutes direct +or contributory patent infringement, then any patent licenses +granted to You under this License for that Work shall terminate +as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the +Work or Derivative Works thereof in any medium, with or without +modifications, and in Source or Object form, provided that You +meet the following conditions: + +(a) You must give any other recipients of the Work or +Derivative Works a copy of this License; and + +(b) You must cause any modified files to carry prominent notices +stating that You changed the files; and + +(c) You must retain, in the Source form of any Derivative Works +that You distribute, all copyright, patent, trademark, and +attribution notices from the Source form of the Work, +excluding those notices that do not pertain to any part of +the Derivative Works; and + +(d) If the Work includes a "NOTICE" text file as part of its +distribution, then any Derivative Works that You distribute must +include a readable copy of the attribution notices contained +within such NOTICE file, excluding those notices that do not +pertain to any part of the Derivative Works, in at least one +of the following places: within a NOTICE text file distributed +as part of the Derivative Works; within the Source form or +documentation, if provided along with the Derivative Works; or, +within a display generated by the Derivative Works, if and +wherever such third-party notices normally appear. The contents +of the NOTICE file are for informational purposes only and +do not modify the License. You may add Your own attribution +notices within Derivative Works that You distribute, alongside +or as an addendum to the NOTICE text from the Work, provided +that such additional attribution notices cannot be construed +as modifying the License. + +You may add Your own copyright statement to Your modifications and +may provide additional or different license terms and conditions +for use, reproduction, or distribution of Your modifications, or +for any such Derivative Works as a whole, provided Your use, +reproduction, and distribution of the Work otherwise complies with +the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, +any Contribution intentionally submitted for inclusion in the Work +by You to the Licensor shall be under the terms and conditions of +this License, without any additional terms or conditions. +Notwithstanding the above, nothing herein shall supersede or modify +the terms of any separate license agreement you may have executed +with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade +names, trademarks, service marks, or product names of the Licensor, +except as required for reasonable and customary use in describing the +origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or +agreed to in writing, Licensor provides the Work (and each +Contributor provides its Contributions) on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +implied, including, without limitation, any warranties or conditions +of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A +PARTICULAR PURPOSE. You are solely responsible for determining the +appropriateness of using or redistributing the Work and assume any +risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, +whether in tort (including negligence), contract, or otherwise, +unless required by applicable law (such as deliberate and grossly +negligent acts) or agreed to in writing, shall any Contributor be +liable to You for damages, including any direct, indirect, special, +incidental, or consequential damages of any character arising as a +result of this License or out of the use or inability to use the +Work (including but not limited to damages for loss of goodwill, +work stoppage, computer failure or malfunction, or any and all +other commercial damages or losses), even if such Contributor +has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing +the Work or Derivative Works thereof, You may choose to offer, +and charge a fee for, acceptance of support, warranty, indemnity, +or other liability obligations and/or rights consistent with this +License. However, in accepting such obligations, You may act only +on Your own behalf and on Your sole responsibility, not on behalf +of any other Contributor, and only if You agree to indemnify, +defend, and hold each Contributor harmless for any liability +incurred by, or claims asserted against, such Contributor by reason +of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +To apply the Apache License to your work, attach the following +boilerplate notice, with the fields enclosed by brackets "{}" +replaced with your own identifying information. (Don't include +the brackets!) The text should be enclosed in the appropriate +comment syntax for the file format. We also recommend that a +file or class name and description of purpose be included on the +same "printed page" as the copyright notice for easier +identification within third-party archives. + +Copyright {yyyy} {name of copyright owner} + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/README.md b/README.md index 1e634b909ecc868b7777e83bf4a12e1ebe18b84e..3ed275bddf9f8ac0d15f3a5734a7ece7dbbaa6c3 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,7 @@ # proxy_init +The proxy-init container installs iptables rules to redirect all container traffic through the Envoy proxy sidecar. More information can be found [here](https://github.com/open-policy-agent/contrib/tree/master/envoy_iptables). + +The proxy_init directory contains the Istio proxy init script and a Dockerfile for building an image for the init container that installs iptables rules to redirect all container traffic through the Envoy proxy sidecar. + +Ports can be whitelisted to bypass the envoy proxy by using the -w parameter with a comma separated list of ports. This is useful for application health checks that should go directly to a service. diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f432c4bb891e44554f8f04cd05957784790c18a5 --- /dev/null +++ b/download.yaml @@ -0,0 +1,3 @@ +resources: + - url: "docker://docker.io/openpolicyagent/proxy_init@sha256:8f988a690516728b08956f2838a7a08202547e44d2c962009301d738c7a4abae" + tag: "openpolicyagent/proxy_init:v5" diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000000000000000000000000000000000000..f898778423b6cda05bdc4a024caf308ee3f02e7b --- /dev/null +++ b/renovate.json @@ -0,0 +1,22 @@ +{ + "assignees": ["@vickie.shen"], + "baseBranches": ["development"], + "regexManagers": [ + { + "fileMatch": ["^Dockerfile$"], + "matchStrings": [ + "version=\"(?.*?)\"" + ], + "depNameTemplate": "openpolicyagent/proxy_init", + "datasourceTemplate": "docker" + }, + { + "fileMatch": ["^Jenkinsfile$"], + "matchStrings": [ + "version:\\s+\"(?.*?)\"" + ], + "depNameTemplate": "openpolicyagent/proxy_init", + "datasourceTemplate": "docker" + } + ] +} diff --git a/scripts/proxy_init.sh b/scripts/proxy_init.sh new file mode 100644 index 0000000000000000000000000000000000000000..6149e625dfc53ee69904e83c3e52a74d142dbce1 --- /dev/null +++ b/scripts/proxy_init.sh @@ -0,0 +1,109 @@ +#!/bin/bash +# Envoy initialization script responsible for setting up port forwarding. + +set -o errexit +set -o nounset +set -o pipefail + +usage() { + echo "${0} -p INBOUND_PORT -o OUTBOUND_PORT -u UID [-h]" + echo '' + echo ' -p: Specify the envoy port to which redirect all inbound TCP traffic' + echo ' -o: Specify the envoy port to which redirect all outbound TCP traffic' + echo ' -u: Specify the UID of the user for which the redirection is not' + echo ' applied. Typically, this is the UID of the proxy container' + echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional)' + echo ' -w: Comma separated list of ports to allow inbound TCP traffic without redirecting to envoy (optional)' + echo '' +} + +IP_RANGES_INCLUDE="" +WHITELIST_PORTS="" + +while getopts ":p:o:u:e:i:w:h" opt; do + case ${opt} in + p) + ENVOY_IN_PORT=${OPTARG} + ;; + o) + ENVOY_OUT_PORT=${OPTARG} + ;; + u) + ENVOY_UID=${OPTARG} + ;; + i) + IP_RANGES_INCLUDE=${OPTARG} + ;; + w) + WHITELIST_PORTS=${OPTARG} + ;; + h) + usage + exit 0 + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + usage + exit 1 + ;; + esac +done + +if [[ -z "${ENVOY_IN_PORT-}" ]] || [[ -z "${ENVOY_UID-}" ]]; then + echo "Please set both -p and -u parameters" + usage + exit 1 +fi + +# Create a new chain for redirecting inbound traffic to Envoy port +iptables -t nat -N ENVOY_IN_REDIRECT -m comment --comment "envoy/redirect-inbound-chain" + +# Skip Envoy for whitelisted ports +if [[ WHITELIST_PORTS != "" ]]; then + IFS=, + for port in ${WHITELIST_PORTS}; do + iptables -t nat -A ENVOY_IN_REDIRECT -p tcp --dport ${port} -m conntrack --ctstate NEW,ESTABLISHED -j RETURN -m comment --comment "envoy/whitelisted-port-ingress" + done +fi + +iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port ${ENVOY_IN_PORT} -m comment --comment "envoy/redirect-to-envoy-inbound-port" + +# Redirect all inbound traffic to Envoy. +iptables -t nat -A PREROUTING -p tcp -j ENVOY_IN_REDIRECT -m comment --comment "envoy/install-envoy-inbound-prerouting" + +if [[ ! -z "${ENVOY_OUT_PORT-}" ]]; then + # Create a new chain for selectively redirecting outbound packets to Envoy port + iptables -t nat -N ENVOY_OUT_REDIRECT -m comment --comment "envoy/redirect-outbound-chain" + + # Jump to the ENVOY_OUT_REDIRECT chain from OUTPUT chain for all tcp traffic. + # '-j RETURN' bypasses Envoy and '-j ENVOY_OUT_REDIRECT' redirects to Envoy. + iptables -t nat -A OUTPUT -p tcp -j ENVOY_OUT_REDIRECT -m comment --comment "envoy/install-envoy-out-redirect" + + # Redirect app calls back to itself via Envoy when using the service VIP or + # endpoint address, e.g. appN => Envoy (client) => Envoy (server) => appN. + iptables -t nat -A ENVOY_OUT_REDIRECT -o lo ! -d 127.0.0.1/32 -j ENVOY_IN_REDIRECT -m comment --comment "envoy/redirect-implicit-loopback" + + # Avoid infinite loops. Don't redirect Envoy traffic directly back to Envoy for + # non-loopback traffic. + iptables -t nat -A ENVOY_OUT_REDIRECT -m owner --uid-owner ${ENVOY_UID} -j RETURN -m comment --comment "envoy/outbound-bypass-envoy" + + # Skip redirection for Envoy-aware applications and container-to-container + # traffic both of which explicitly use localhost. + iptables -t nat -A ENVOY_OUT_REDIRECT -d 127.0.0.1/32 -j RETURN -m comment --comment "envoy/bypass-explicit-loopback" + + # All outbound traffic will be redirected to Envoy by default. If + # IP_RANGES_INCLUDE is non-empty, only traffic bound for the destinations + # specified in this list will be captured. + IFS=, + if [ "${IP_RANGES_INCLUDE}" != "" ]; then + for cidr in ${IP_RANGES_INCLUDE}; do + iptables -t nat -A ENVOY_OUT_REDIRECT -d ${cidr} -p tcp -j REDIRECT --to-port ${ENVOY_OUT_PORT} -m comment --comment "envoy/redirect-ip-range-${cidr}" + done + iptables -t nat -A ENVOY_OUT_REDIRECT -p tcp -j RETURN -m comment --comment "envoy/bypass-default-outbound" + else + iptables -t nat -A ENVOY_OUT_REDIRECT -p tcp -j REDIRECT --to-port ${ENVOY_OUT_PORT} -m comment --comment "envoy/redirect-default-outbound" + #iptables -t nat -A ENVOY_OUT_REDIRECT -p tcp -j RETURN -m comment --comment "envoy/bypass-default-outbound" + fi +fi + +exit 0