DocsTelepresenceNetworking through Virtual Network Interface
Networking through Virtual Network Interface
The Telepresence daemon process creates a Virtual Network Interface (VIF) when Telepresence connects to the cluster. The VIF ensures that the cluster's subnets are available to the workstation. It also intercepts DNS requests and forwards them to the traffic-manager which in turn forwards them to intercepted agents, if any, or performs a host lookup by itself.
TUN-Device
The VIF is a TUN-device, which means that it communicates with the workstation in terms of L3 IP-packets. The router will recognize UDP and TCP packets and tunnel their payload to the traffic-manager via its encrypted gRPC API. The traffic-manager will then establish corresponding connections in the cluster. All protocol negotiation takes place in the client because the VIF takes care of the L3 to L4 translation (i.e. the tunnel is L4, not L3).
Gains when using the VIF
Both TCP and UDP
The TUN-device is capable of routing both TCP and UDP traffic.
No SSH required
The VIF approach is somewhat similar to using sshuttle
but without
any requirements for extra software, configuration or connections.
Using the VIF means that only one single connection needs to be
forwarded through the Kubernetes apiserver (à la kubectl
port-forward
), using only one single port. There is no need for
ssh
in the client nor for sshd
in the traffic-manager. This also
means that the traffic-manager container can run as the default user.
sshfs without ssh encryption
When a POD is intercepted, and its volumes are mounted on the local machine, this mount is performed by sshfs. Telepresence will run sshfs -o slave
which means that instead of using ssh
to establish an encrypted communication to an sshd
, which in turn terminates the encryption and forwards to sftp
, the sshfs
will talk sftp
directly on its stdin/stdout
pair. Telepresence tunnels that directly to an sftp
in the agent using its already encrypted gRPC API. As a result, no sshd
is needed in client nor in the traffic-agent, and the traffic-agent container can run as the default user.
No Firewall rules
With the VIF in place, there's no longer any need to tamper with firewalls in order to establish IP routes. The VIF makes the cluster subnets available during connect, and the kernel will perform the routing automatically. When the session ends, the kernel is also responsible for cleaning up.