kumactl install transparent-proxy
Install Transparent Proxy pre-requisites on the host
Install Transparent Proxy by modifying the hosts iptables.
Follow the following steps to use the Kuma data plane proxy in Transparent Proxy mode:
1) create a dedicated user for the Kuma data plane proxy, e.g. ‘kuma-dp’ 2) run this command as a ‘root’ user to modify the host’s iptables and /etc/resolv.conf - supply the dedicated username with ‘–kuma-dp-uid’ - all changes are easly revertible by issuing ‘kumactl uninstall transparent-proxy’ - by default the SSH port tcp/22 will not be redirected to Envoy, but everything else will. Use ‘–exclude-inbound-ports’ to provide a comma separated list of ports that should also be excluded
sudo kumactl install transparent-proxy
3) prepare a Dataplane resource yaml like this:
type: Dataplane mesh: default name: networking: address: inbound:
- port: tags: kuma.io/service: demo-client transparentProxying: redirectPortInbound: 15006 redirectPortOutbound: 15001
The values in ‘transparentProxying’ section are the defaults set by this command and if needed be changed by supplying ‘–redirect-inbound-port’ and ‘–redirect-outbound-port’ respectively.
4) the kuma-dp command shall be run with the designated user. - if using systemd to run add ‘User=kuma-dp’ in the ‘[Service]’ section of the service file - leverage ‘runuser’ similar to (assuming aforementioned yaml):
runuser -u kuma-dp –
kumactl install transparent-proxy [flags]
--dry-run dry run --ebpf-bpffs-path string the path of the BPF filesystem (default "/sys/fs/bpf") --ebpf-cgroup-path string the path of cgroup2 (default "/sys/fs/cgroup") --ebpf-enabled use ebpf instead of iptables to install transparent proxy --ebpf-instance-ip string IP address of the instance (pod/vm) where transparent proxy will be installed --ebpf-programs-source-path string path where compiled ebpf programs and other necessary for ebpf mode files can be found (default "/kong-mesh/ebpf") --ebpf-tc-attach-iface string name of the interface which TC eBPF programs should be attached to --exclude-inbound-ports string a comma separated list of inbound ports to exclude from redirect to Envoy --exclude-outbound-ports string a comma separated list of outbound ports to exclude from redirect to Envoy --exclude-outbound-tcp-ports-for-uids stringArray tcp outbound ports to exclude for specific UIDs in a format of ports:uids where both ports and uids can be a single value, a list, a range or a combination of all, e.g. 3000-5000:103,104,106-108 would mean exclude ports from 3000 to 5000 for UIDs 103, 104, 106, 107, 108 --exclude-outbound-udp-ports-for-uids stringArray udp outbound ports to exclude for specific UIDs in a format of ports:uids where both ports and uids can be a single value, a list, a range or a combination of all, e.g. 3000-5000:103,104,106-108 would mean exclude ports from 3000 to 5000 for UIDs 103, 104, 106, 107, 108 --experimental-transparent-proxy-engine use experimental transparent proxy engine -h, --help help for transparent-proxy --kuma-dp-uid string the UID of the user that will run kuma-dp --kuma-dp-user string the user that will run kuma-dp --redirect-all-dns-traffic redirect all DNS traffic to a specified port, unlike --redirect-dns this will not be limited to the dns servers identified in /etc/resolve.conf --redirect-dns redirect only DNS requests targeted to the servers listed in /etc/resolv.conf to a specified port --redirect-dns-port string the port where the DNS agent is listening (default "15053") --redirect-dns-upstream-target-chain string (optional) the iptables chain where the upstream DNS requests should be directed to. It is only applied for IP V4. Use with care. (default "RETURN") --redirect-inbound redirect the inbound traffic to the Envoy. Should be disabled for Gateway data plane proxies. (default true) --redirect-inbound-port networking.transparentProxying.redirectPortInbound inbound port redirected to Envoy, as specified in dataplane's networking.transparentProxying.redirectPortInbound (default "15006") --redirect-inbound-port-v6 networking.transparentProxying.redirectPortInboundV6 IPv6 inbound port redirected to Envoy, as specified in dataplane's networking.transparentProxying.redirectPortInboundV6 (default "15010") --redirect-outbound-port networking.transparentProxying.redirectPortOutbound outbound port redirected to Envoy, as specified in dataplane's networking.transparentProxying.redirectPortOutbound (default "15001") --skip-dns-conntrack-zone-split skip applying conntrack zone splitting iptables rules --store-firewalld store the iptables changes with firewalld --verbose verbose --vnet stringArray virtual networks in a format of interfaceNameRegex:CIDR split by ':' where interface name doesn't have to be exact name e.g. docker0:172.17.0.0/16, br+:172.18.0.0/16, iface:::1/64
Options inherited from parent commands
--api-timeout duration the timeout for api calls. It includes connection time, any redirects, and reading the response body. A timeout of zero means no timeout (default 1m0s) --config-file string path to the configuration file to use --log-level string log level: one of off|info|debug (default "off") --no-config if set no config file and config directory will be created
- kumactl install - Install various Kuma components.