Limit connections #11255
Limit connections #11255
Conversation
| rule := fmt.Sprintf("add rule ip gitpod ratelimit ip protocol tcp ct state new meter connmeter { ip daddr & 0.0.0.0 timeout 1m limit rate over %d/minute } counter drop", limit) | ||
|
|
||
| // the go library does not support meters, so use nft instead | ||
| cmd := exec.CommandContext(ctx, "/usr/sbin/nft", rule) |
There was a problem hiding this comment.
What's the behavior when the version of nft on the host is different? (this is a known issue with k8s kubelet)
Edit: is kube-proxy not kubelet. Sorry.
There was a problem hiding this comment.
Can you explain what kind of issues have been observed in the context of kubelet? I was not able to find anything.
There was a problem hiding this comment.
@aledbf Are you ok with merging this or would you like to discuss it further?
There was a problem hiding this comment.
I am not sure we should merge this without knowing the behavior of different nftable versions and if there is any conflict with the CNI bandwidth plugin.
Did you test this change in an ephemeral cluster?
There was a problem hiding this comment.
We used nftables to replace slirp4net, if there is an issue with versions, would we have more fundamental issues with workspace networking?
- This makes me wonder if we should add related runtime tests for networking.
- I ask because I'm not sure what dimensions to consider.
@aledbf I like the idea of testing with an ephemeral cluster. Can you add a related test here, so we can have a repeatable way to do in the future?
@Furisto let's leave on-hold till we've had a chance to test in an ephemeral cluster (to test for impacts to CNI bandwidth plugin).
jenting
left a comment
There was a problem hiding this comment.
LGTM, but I would ❤️ to have the release note for this one.
| rule := fmt.Sprintf("add rule ip gitpod ratelimit ip protocol tcp ct state new meter connmeter { ip daddr & 0.0.0.0 timeout 1m limit rate over %d/minute } counter drop", limit) | ||
|
|
||
| // the go library does not support meters, so use nft instead | ||
| cmd := exec.CommandContext(ctx, "/usr/sbin/nft", rule) |
There was a problem hiding this comment.
Since this function runs before pivot_root, I believe it is safe to specify the nftable bin with the complete path at this stage. Am I right? If yes, please add a comment that why it is safe to run.
There was a problem hiding this comment.
I'm concerned that the user may be able to override this bin with a custom image.
There was a problem hiding this comment.
We do not enter the mount namespace of the workspace, only the network namespace. The binary is part of ws-daemon.
There was a problem hiding this comment.
💯 Can I ask you to add a comment about that? Why? I think this is a very important security point that is difficult to see from the code.
| func addConnectionLimitRule(limit int) error { | ||
| ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) | ||
| defer cancel() | ||
| rule := fmt.Sprintf("add rule ip gitpod ratelimit ip protocol tcp ct state new meter connmeter { ip daddr & 0.0.0.0 timeout 1m limit rate over %d/minute } counter drop", limit) |
There was a problem hiding this comment.
Can we use set syntax instead of meter as official documentation says here?
https://wiki.nftables.org/wiki-nftables/index.php/Meters
Note that the meter keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.
There was a problem hiding this comment.
I think we can. Thanks for the hint. I also will update this rule to use a named counter, so that we can scrape metrics about dropped packets more easily.
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
geropl
left a comment
There was a problem hiding this comment.
Reviewed ws-manager-api per code owners: change LGTM
|
/werft run 👍 started the job as gitpod-build-fo-connlimit.32 |
5cd2b02 to
4f415dc
Compare
|
/werft run with-clean-slate-deployment 👍 started the job as gitpod-build-fo-connlimit.37 |
|
@utam0k PTAL |
|
/unhold |
Description
Introduce limiting of new connections created per minute. For more info see the RFC.
Related Issue(s)
Related to #10651
How to test
nsenter -t workspacekitPid -nandnft list ruleset)kubectl port-forward ds/ws-daemon 9500:9500,then get the metrics withcurl -XGET localhost:9500/metricsRelease Notes
Werft options: