Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add guide for excluding traffic from transparent proxy redirection #2219

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
+137 −0
Open

docs: add guide for excluding traffic from transparent proxy redirection #2219

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
89f491b
docs: add guide for excluding traffic from transparent proxy redirection
bartsmykla Mar 7, 2025
6af4920
Merge remote-tracking branch 'upstream' into docs/add-exclude-traffic…
bartsmykla Mar 7, 2025
745b46e
Merge remote-tracking branch 'upstream' into docs/add-exclude-traffic…
bartsmykla Mar 7, 2025
0cb8301
chore: adjust tabs according to latest changes in the tabs plugin
bartsmykla Mar 7, 2025
92a11ca
Merge remote-tracking branch 'upstream' into docs/add-exclude-traffic…
bartsmykla Mar 7, 2025
0b581bd
Merge remote-tracking branch 'upstream' into docs/add-exclude-traffic…
bartsmykla Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions app/_data/docs_nav_kuma_2.10.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -504,6 +504,10 @@ items:
url: /guides/progressively-rolling-in-strict-mtls/
- text: Producer and consumer policies
url: /guides/consumer-producer-policies
- text: Upgrading Transparent Proxy
url: /guides/upgrading-transparent-proxy/
- text: Excluding Traffic from Transparent Proxy Redirection
url: /guides/excluding-traffic-from-transparent-proxy-redirection/
- title: Reference
group: true
items:
Expand Down
2 changes: 2 additions & 0 deletions app/_data/docs_nav_kuma_2.9.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -508,6 +508,8 @@ items:
url: /guides/consumer-producer-policies
- text: Upgrading Transparent Proxy
url: /guides/upgrading-transparent-proxy/
- text: Excluding Traffic from Transparent Proxy Redirection
url: /guides/excluding-traffic-from-transparent-proxy-redirection/
- title: Reference
group: true
items:
Expand Down
131 changes: 131 additions & 0 deletions app/_src/guides/excluding-traffic-from-transparent-proxy-redirection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
---
title: Excluding Traffic from Transparent Proxy Redirection
content_type: tutorial
---

{% capture docs %}/docs/{{ page.release }}{% endcapture %}
{% assign Kuma = site.mesh_product_name %}

This guide will show you how to exclude specific types of traffic from being redirected by the transparent proxy. It includes instructions for both **Universal** and a **Kubernetes** modes and covers different types of traffic you might want to exclude, such as:

- [Exclude traffic on certain ports (incoming & outgoing)](#exclude-traffic-on-certain-ports)
- [Exclude traffic to and from specific IP addresses](#exclude-traffic-to-and-from-specific-ip-addresses)

Use this guide to control which traffic the transparent proxy intercepts and which it allows through directly.

## Terminology overview
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we split this terminology overview between kubernetes and universal? Do we even need it, I guess these are core concepts of Kubernetes and users should be familiar with them when they start playing with service mesh

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that the three concepts "Workload", "ConfigMap", "Service" aren't mentioned in the following guides, do we really need this paragraph ?


- **Workload**: In this guide, **workload** refers to an application running in a Kubernetes cluster, usually represented by a [**Pod**](https://kubernetes.io/docs/concepts/workloads/pods/). Kubernetes resources like [**Deployment**](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), [**ReplicaSet**](https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/), and [**StatefulSet**](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/) are used to define and manage these workloads, resulting in one or more **Pods** where the application actually runs.

- **ConfigMap**: In this guide, **ConfigMap** refers to the Kubernetes [**ConfigMap**](https://kubernetes.io/docs/concepts/configuration/configmap/) resource. It’s used to store configuration data as key-value pairs that can be easily accessed by other resources in the cluster, such as Pods, Deployments, and StatefulSets.

- **Service**: In this guide, **service** means the application running in a Universal mode environment where the transparent proxy will be installed. This term does not refer to Kubernetes [**Service**](https://kubernetes.io/docs/concepts/services-networking/service/) resources.

## Prerequisites

1. **Familiarity with transparent proxy:** You should already understand what a transparent proxy is, how to install it, and how to configure its settings.

Comment on lines +26 to +27
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a link that jumps to transparent section

2. **Set up {{ Kuma }}**: Ensure {{ Kuma }} is installed and running.

{% capture prerequisites-setup-kuma %}
{% tabs %}
{% tab Kubernetes %}
Follow the [Kubernetes Quickstart]({{ docs }}/quickstart/kubernetes-demo/) guide to set up a zone control plane and demo application.
{% endtab %}
{% tab Universal %}
Confirm that all necessary components are up and running. The following resources may be useful:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't it be enought. to just link to universal quickstart or docker quickstart?


- To set up a single-zone control plane, follow the [Single Zone Control Plane Deployment]({{ docs }}/production/cp-deployment/single-zone/) guide.

- To generate a data plane proxy token (needed to authorize data plane proxies), refer to [Data Plane Proxy Token]({{ docs }}/production/secure-deployment/dp-auth/#data-plane-proxy-token) documentation.

- To set up your service environment and start the data plane proxy, follow the steps in the quickstart guide.
{% endtab %}
{% endtabs %}
{% endcapture %}
{{ prerequisites-setup-kuma | indent }}

## Exclude traffic on certain ports

This example shows how to exclude incoming traffic on port `1234` and outgoing traffic on ports `5678` and `8900`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd recommend emphasize the intercept concept, same as the latter "Exclude traffic to and from specific IP addresses" section

Suggested change
This example shows how to exclude incoming traffic on port `1234` and outgoing traffic on ports `5678` and `8900`.
This example demonstrates how to configure the transparent proxy to exclude incoming traffic on port 1234 and outgoing traffic on ports 5678 and 8900 from being intercepted.


{% tabs %}
{% tab Kubernetes %}
To exclude these ports in Kubernetes mode, add the `traffic.kuma.io/exclude-inbound-ports` annotation for incoming traffic and `traffic.kuma.io/exclude-outbound-ports` for outgoing traffic. For example, your Pod configuration could look like this:

```yaml
apiVersion: apps/v1
kind: Pod
metadata:
name: example-app
annotations:
traffic.kuma.io/exclude-inbound-ports: "1234"
traffic.kuma.io/exclude-outbound-ports: "5678,8900"
...
```

You can add these annotations manually in your Kubernetes manifests or by using below command:

```sh
kubectl annotate pods example-app \
"traffic.kuma.io/exclude-inbound-ports=1234" \
"traffic.kuma.io/exclude-outbound-ports=5678,8900"
```
Comment on lines +67 to +73
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest removing these because the user would edit the annotations in controller(deployment, statefulset) in the main use cases.

With the above Pod yaml, it's enough to make the user understand the usage of our annotations.

{% endtab %}

{% tab Universal %}
To exclude specific ports in Universal mode, configure the transparent proxy with `redirect.inbound.excludePorts` and `redirect.outbound.excludePorts` settings. Here’s an example:

```sh
echo "
redirect:
inbound:
excludePorts: [1234]
outbound:
excludePorts: [5678, 8900]
" | kumactl install transparent-proxy --config-file -
```
{% endtab %}
{% endtabs %}

## Exclude traffic to and from specific IP addresses

This example shows how to exclude incoming traffic coming from addresses in range `10.0.0.0/8` and outgoing traffic directed to address `192.168.10.1` or addresses in range `fd10::/16`.

{% tabs %}
{% tab Kubernetes %}
To exclude these addresses in Kubernetes mode, add the `traffic.kuma.io/exclude-inbound-ips` annotation for incoming traffic and `traffic.kuma.io/exclude-outbound-ips` for outgoing traffic. For example, your Pod configuration could look like this:

```yaml
apiVersion: apps/v1
kind: Pod
metadata:
name: example-app
annotations:
traffic.kuma.io/exclude-inbound-ips: "10.0.0.0/8"
traffic.kuma.io/exclude-outbound-ips: "192.168.10.1,fd10::/16"
...
```

You can add these annotations manually in your Kubernetes manifests or by using below command:

```sh
kubectl annotate pods example-app \
"traffic.kuma.io/exclude-inbound-ips=10.0.0.0/8" \
"traffic.kuma.io/exclude-outbound-ips=192.168.10.1,fd10::/16"
```
{% endtab %}
{% tab Universal %}
To exclude these addresses in Universal mode, configure the transparent proxy with `redirect.inbound.excludePortsForIPs` and `redirect.outbound.excludePortsForIPs` settings. Here’s an example:

```sh
echo "
redirect:
inbound:
excludePortsForIPs: [10.0.0.0/8]
outbound:
excludePortsForIPs: [192.168.10.1, fd10::/16]
" | kumactl install transparent-proxy --config-file -
```
{% endtab %}
{% endtabs %}
Loading