The Telepresence daemon process creates a Virtual Network Interface (VIF) when Telepresence connects to the cluster. The VIF ensures that the cluster's subnets are available to the workstation. It also intercepts DNS requests and forwards them to the traffic-manager which in turn forwards them to intercepted agents, if any, or performs a host lookup by itself.
The VIF is a TUN-device, which means that it communicates with the workstation in terms of L3 IP-packets. The router will recognize UDP and TCP packets and tunnel their payload to the traffic-manager via its encrypted gRPC API. The traffic-manager will then establish corresponding connections in the cluster. All protocol negotiation takes place in the client because the VIF takes care of the L3 to L4 translation (i.e. the tunnel is L4, not L3).
The TUN-device is capable of routing both TCP and UDP for outbound traffic. Earlier versions of Telepresence would only allow TCP. Future enhancements might be to also route inbound UDP, and perhaps a selection of ICMP packages (to allow for things like
The VIF approach is somewhat similar to using
sshuttle but without
any requirements for extra software, configuration or connections.
Using the VIF means that only one single connection needs to be
forwarded through the Kubernetes apiserver (à la
port-forward), using only one single port. There is no need for
ssh in the client nor for
sshd in the traffic-manager. This also
means that the traffic-manager container can run as the default user.
When a POD is intercepted, and its volumes are mounted on the local machine, this mount is performed by sshfs. Telepresence will run
sshfs -o slave which means that instead of using
ssh to establish an encrypted communication to an
sshd, which in turn terminates the encryption and forwards to
sshfs will talk
sftp directly on its
stdin/stdout pair. Telepresence tunnels that directly to an
sftp in the agent using its already encrypted gRPC API. As a result, no
sshd is needed in client nor in the traffic-agent, and the traffic-agent container can run as the default user.
With the VIF in place, there's no longer any need to tamper with firewalls in order to establish IP routes. The VIF makes the cluster subnets available during connect, and the kernel will perform the routing automatically. When the session ends, the kernel is also responsible for cleaning up.