private-net: should forwarded ports work on localhost? #1256
Comments
Do you have an example of commands to show what is not available? I tried the following:
It exposes the port 6379:
And then on the host: I also tried to setup a ssh forwarded port with |
Oh sorry, I should not use the defaut network namespace for testing this. So the full command I tried is:
And then I have the behavior you described when trying with Do you know if kube-proxy uses localhost to connect to a kubernetes endpoint? |
@eyakubovich @steveej ping? |
I'm okay with the current behavior as I would not expect it to behave differently. I brought up the question to see what the general assumption would be. We have to make the decision if we leave it as is (my vote) or if we enable NAT loopback. |
It seems pretty unintuitive to me. Can you help explain your vote? |
I was bitten by this yesterday. I think the principle of least surprise would dictate that the forwarded port is also reachable via localhost. I'd be fine with it being a runtime option (to |
I was debugging this for a few hours yesterday, trying to reach a specific container from the host is really hard without doing this, I don't think there's any disadvantage to making it work on localhost. |
@blalor @yorickvP thanks for your feedback on this, supporting @jonboulle's intuition. This topic has come up often enough lately to convince me that we should have NAT loopback. |
@steveej Any chance we can get this for the next release? |
@iaguis it looks like we're having trouble getting this in at all. Rewriting localhost:forwarded-port -> container-IP:forwarded-port doesn't work by design with iptables. As an example, the following rule
Will be matched, but it will leave the package destination unchanged, as can be seen in the TRACE output:
Any suggestions are welcome! UPDATE: Fortunately I was wrong with my conclusion from last evening. I'll prepare a PR with a proposal. |
Currently ports that are forwarded to containers are not accessible on the host via localhost:forwarded-port. It would be possible to do enable that and the technique is generally called NAT loopback.
It's a matter of choice if we want to change this or not so I want to bring it up for discussion.
Personally I'm unsure if we need it, but it could help in situations when service discovery is not there and the host expects a service on localhost while the container is not supposed to share the host netns.
The text was updated successfully, but these errors were encountered: