Unix Domain Socket

[erkerb4]

Hello,

I am looking into deploying a pinniped-supervisor which suggests using Unix Domain Sockets to expose the HTTP service when used along with a service mesh. I've looked at the docs, but I am uncertain if I used the right strings to find the information. Is it possible to use UDS endpoint on a service with LinkerD?

There is also another comment at the end of the doc "For service meshes that do not support Unix domain sockets, the http listener should be configured to listen on 127.0.0.1." I am uncertain if there is anything special there. Would linkerd be able to route to service, if service is only listening on 127.0.0.1?

Thank you!

[olix0r]

Linkerd doesn't currently support proxying connections onto UDS. Clients have to target a specific port and the proxy would have to know how to map ports to Unix Domain Sockets. Furthermore, the pod would have be configured to have a shared volume so that the proxy can access these sockets. This configuration overhead is not trivial.

As of Linkerd 2.11, Linkerd will not forward incoming traffic to sockets bound on the loopback interface (127.0.0.1) because this is in itself a security risk: if you're binding an application on the loopback interface you're explicitly saying that the port should not be exposed to connections from other pods.

However, Linkerd 2.11 adds Server and ServerAuthorization resources that can be used to ensure that the proxy only permits mTLS traffic to a given port (https://linkerd.io/2.11/features/server-policy/). This should make it possible to prevent unmeshed traffic from reaching pinniped's port.

[erkerb4]

Thank you very much for taking the time to explain @olix0r.

Since this specific application (pinniped-supervisor) is deprecating communications over HTTP port, and recommending use of HTTPS, would it be a better fit for this application to be not included in mesh? I guess I am trying to understand in general, if a given service does not provide an HTTP endpoint, then would it be better to not include that service in the mesh?

[olix0r]

There shouldn't be any problem running the proxy with an HTTPS service, but it may not be necessary, either. it depends what you want out of the mesh. With the proxy, you'll get TCP metrics, authorization polices, topology views, etc. Or you can omit them from the mesh if all you really want from it is TLS.

[erkerb4]

Understood, thank you again @olix0r.