Skip to content
This repository has been archived by the owner on Oct 30, 2021. It is now read-only.

Latest commit

 

History

History
61 lines (41 loc) · 3.16 KB

README.md

File metadata and controls

61 lines (41 loc) · 3.16 KB

Container to oc port-forward with OpenShift

Usage

docker build . -t oc-port-forward-container

docker run --rm -e "OC_LOGIN=..." -e "OC_PORT_FORWARD_POD_NAME_PREFIX=..." -p 25565:25565 oc-port-forward-container

docker run --rm -it oc-port-forward-container bash

Tips

Because the pod name which is being port forwarded into will change on pod restarts, you'll want to set up a liveness probe in your container platform (OpenShift, Kubernetes, Docker) to restart this container if ./livenessProbe.sh (based on nmap) returns 1 instead of 0.

Login

The OC_LOGIN (above) should not be a regular user's (your) Login token, because those expire. Use a Service Account instead:

oc create serviceaccount oc-port-forward-container
oc get clusterrole
oc policy add-role-to-user view -z oc-port-forward-container
oc policy add-role-to-user admin -z oc-port-forward-container
oc describe sa oc-port-forward-container
oc describe secret oc-port-forward-container-token-...

The use of the admin role is because there doesn't seem to be a port-forward role?!

Implementation

We run oc port-forward inside this container. It listens (only) on interface localhost (127.0.0.1 / [::1]). We also use socat in this container to forward port 25565 on the container's interface eth0 (which is EXPOSEd) to the port 25563 on interface localhost (127.0.0.1 / [::1]) of the container.

The nmap used in ./livenessProbe.sh actually speaks the Minecraft protocol (its output e.g. reveals how many player are online). Using this is more reliable than just checking if port 25565 responds to TCP or not.

Makes sense? ;-)

Background and why it does not "just" work...

Alternatives?

  • iptables based port forward inside the container ... requires --privileged (--cap-add=NET_ADMIN), and that's No Go ** # iptables -t nat -A PREROUTING -p tcp -i eth0 --dst 127.0.0.1 --dport 25565 -j REDIRECT --to-ports 25565 ??? *** iptables v1.4.21: can't initialize iptables table nat': Permission denied (you must be root)***Perhaps iptables or your kernel needs to be upgraded.`
  • WebSocket instead SPDY: kubernetes/kubernetes#33684 ** supported in Java client: kubernetes-client/java#91