âš“ kedge - Kubernetes Edge Proxy
kedge (verb) to move (a ship) by means of a line attached to a small anchor dropped at the distance and in the direction desired
Proxy for gRPC, HTTP (1.1/2) microservices with the aim to make cross-cluster
microservice communication simple to set up, and secure. All you need for it to work is:
TLS client certificates in your service pods and special dialer, a single L4 load balanced IP address in each cluster, and a kedge
server behind it.
The pain of cross-cluster Kubernetes communication
Kubernetes is great, if you have one cluster. If you want to have two or more, you need more advanced configuration. This project stems from the frustration of setting up communication between two K8S clusters. This requires a couple of things:
- cross-cluster networking - usually a complex process of setting up and maintaining IPSec bridges
- configuration of routing rules - each cluster needs to know about each other cluster's 3 (!) network ranges: host, pod and internal-service networks
- providing federated service discovery - either through the alpha-grade K8S Federation or CoreDNS stub zones
All these are subject to subtle interplays between routes, iptables
rules, DNS packets and MTU limits of IPSec tunnels,
which would make even a seasoned network engineer go gray.
At the same time, none of the existing service meshes or networking overlays provide an easy fix for this.
Kedge Design
Kedge is a reverse/forward proxy for gRPC and HTTP traffic.
It uses a concept of backends (see gRPC, HTTP)
that map onto K8S Services
. These define load balancing policies,
middleware used for calls, and resolution. The backends have "warm" connections ready to receive inbound requests.
The inbound requests are directed to backends based on routes (see gRPC, HTTP). These match onto requests based on host, paths (services), headers (metadata). They also specify authorization requirements for the route to be taken.
Kedge can be accessed then:
Using native kedge http.Client inside caller library
Following diagram shows cross-cluster POD to POD communication using kEdge dialer.
Using Winch (local proxy to kedges)
Following diagram shows the routing done by forward proxy called winch (client). In this example kedge OIDC auth is enabled to support corp use cases (per backend access controlled by permissions stored in custom IDToked claim). It can be also switched to just client certificate verification as in the diagram above.
NOTE: Any auth which is required by Service B / Pod B needs to configured on winch due to clients blocking sending auth headers via plain HTTP, even over local network (e.g kubectl).
Usage
Kedge package is using Go modules for vendoring.
Please see
- the kedge for an actual guide.
- the winch (client) for a local forward proxy targeting kedge.
- end-to-end tests package for example on-button usage of winch + kedge.
Status
The project is still in beta state, however heavily tested and used on prod clusters. For status, see CHANGELOG
Wishlist
See Feature / Improvement issues for currently wanted features and improvements.
License
kedge
is released under the Apache 2.0 license. See LICENSE.txt.