Add portforward support.

[Random-Liu]

Add port forward support. The implementation is the same with the dockershim.

Signed-off-by: Lantao Liu [email protected]

[AkihiroSuda]

port <= 0 ?

[Random-Liu]

The orignal code in kubelet is using port < 0. However, you are right, we should check ==0 as well. Will update.

[Random-Liu]

Done.

[mikebrow]

Comment does not follow what is happening in the api. Currently it's validating that the sandbox is running then returns the serving URL for specified streaming port.

[Random-Liu]

The comment is the same with dockershim https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/dockershim/docker_streaming.go#L115.
And I think it explains what the function is doing. :)

[mikebrow]

ok I'm confused .. where does the api "prepare a streaming endpoint to forward ports from a PodSandbox" all I see is ensuring the running state for the sandbox and calling GetPortForward which I presume just does a get?

[Random-Liu]

GetPortForward prepares the streaming endpoint and returns the URL.

[mikebrow]

kk thx!

[mikebrow]

should this api be here or over in streaming.go

[Random-Liu]

I put attach, portForward and exec in corresponding source file.

[mikebrow]

Don't understand the answer. There is a PortForward api in streaming.go that calls portForward. The PortForward api in sandbox_portforward.go does not call portForward. Thus my question.

[mikebrow]

Curious.. why all the above validation on the running status? Are there expected errors if the sandbox isn't running?

[Random-Liu]

Portforward nsenters a the pause container namespace, and running a socat server to do portforwarding.

I believe this requires the pause container is running, because we use the pid to find it's namespace.

We could probably use permanent network namespace to prevent this in the future.

[mikebrow]

Does the GetPortForward api require we make sure this is the case, or will it return an appropriate error if we have not. IOW are we double checking what the API is going to check anyway?

[Random-Liu]

streamServer doesn't even know CRI, it can't check container status.

[mikebrow]

not what I meant but ok..

I presumed you wanted to ensure there is a pid and associated namespace before calling.. and also presumed that the streamServer would also check and return an error message if not vs using a static table of some sort. But I'm not looking at it's code so..

[mikebrow]

I see.. one of "those" apis :-) should probably be called Reserve instead of Get.. now it makes sense.

[abhi]

Just for my understanding :
Even if the task is paused/stopped the namespace is still available to nsenter right?
How is this supposed to work with windows in the future.

[Random-Liu]

Even if the task is paused/stopped the namespace is still available to nsenter right?

Offline talked with @yujuhong. Yeah, we only need network namespace here. I had a concern that we run a pod specific process but only in its network namespace, it means that the process could access other host namespaces. However, socat is on the node, the cluster admin should make sure it's friendly. :)

Actually, there are other issues with the current solution - the socat is not in pod cgroup, so the resource usage will be charged to the system.

How is this supposed to work with windows in the future.

@abhinandanpb Good question. Currently, Kubelet only has limited windows support. Many critical kubelet features doesn't have corresponding windows support, e.g. pod level cgroup, cadvisor monitoring etc. There is an ongoing effort to make kubelet work better on windows.

Actually, we should be able to run a port forward container inside the pod sandbox to do port forward, which makes more sense because:

1. The resource overhead will be charged to the pod;
2. If containerd container exec support different platforms, this solution could be platform agnostic.

I'll add a TODO here, we could do this in near future. :)

[Random-Liu]

Done.

[abhi]

got it. Thanks for explaining.

[mikebrow]

maybe some explanation about what the api does.

[Random-Liu]

Will do.

[Random-Liu]

Done.

[mikebrow]

maybe a comment or pointer about the options being used.

[Random-Liu]

Good idea. Will do.

[Random-Liu]

Done.

[mikebrow]

should we use a channel to wait on the go func io.Copy err? Maybe pipe the err in the go func after the in.Close() call and wait on the channel before the final return..?

[Random-Liu]

I think we want the goroutine to keep serving even after the function returns, until the client disconnects.

[mikebrow]

kk didn't know that was a long running task. Maybe a comment about that..

[Random-Liu]

I'll add some comment to describe what port forward is doing.

[Random-Liu]

Actually, you are correct, we should wait on the go func. Will update.

[Random-Liu]

The implementation is the same with https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/dockershim/docker_streaming.go#L162. And based on the original comment and code analysis, the code should be safe.

I added more logs so that if in the future there are any problem, we could figure it out.

[mikebrow]

Logging works if we have the right test buckets... hate leaving what might be a dangling pipe thread but at least we'll have an unbalanced lvl 4 log to identify it if it happens.

[Random-Liu]

@mikebrow Run already contains a Wait, and the wait makes sure that the stream will be closed. And there is no context passed in by streaming server, so there is no cancellation, either.

If we don't use Run and a context is passed in, I'd prefer adding a channel and do select. :)

[mikebrow]

Makes sense.

[mikebrow]

See comments.

[Random-Liu]

@mikebrow Addressed comments.

[mikebrow]

/LGTM

[abhi]

Can you please add a TODO to replace this with client API

[abhi]

or TODO to use permanent network namespace ( discussed below)

[Random-Liu]

Will do.

[Random-Liu]

Done.

[abhi]

Minor comments, LGTM

[Random-Liu]

@abhinandanpb Addressed comments. Thanks for reviewing!

[Random-Liu]

Just updated this PR to use the containerd client.