{"id":13646404,"url":"https://github.com/improbable-eng/kedge","last_synced_at":"2025-04-21T18:30:57.079Z","repository":{"id":63054689,"uuid":"85936254","full_name":"improbable-eng/kedge","owner":"improbable-eng","description":"kEdge - Kubernetes Edge Proxy for gRPC and HTTP Microservices","archived":true,"fork":false,"pushed_at":"2020-10-12T16:19:20.000Z","size":4933,"stargazers_count":255,"open_issues_count":17,"forks_count":20,"subscribers_count":17,"default_branch":"master","last_synced_at":"2024-11-09T19:41:41.428Z","etag":null,"topics":["frontend","go","golang","k8s","kubernetes","proxy","reverse","tls"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/improbable-eng.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-23T10:21:29.000Z","updated_at":"2024-11-04T14:10:13.000Z","dependencies_parsed_at":"2022-11-11T23:12:25.328Z","dependency_job_id":null,"html_url":"https://github.com/improbable-eng/kedge","commit_stats":null,"previous_names":["mwitkow/kedge"],"tags_count":80,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/improbable-eng%2Fkedge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/improbable-eng%2Fkedge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/improbable-eng%2Fkedge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/improbable-eng%2Fkedge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/improbable-eng","download_url":"https://codeload.github.com/improbable-eng/kedge/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250110822,"owners_count":21376542,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["frontend","go","golang","k8s","kubernetes","proxy","reverse","tls"],"created_at":"2024-08-02T01:02:54.804Z","updated_at":"2025-04-21T18:30:56.592Z","avatar_url":"https://github.com/improbable-eng.png","language":"Go","funding_links":[],"categories":["Go","Load Balancing \u0026 Ingress"],"sub_categories":[],"readme":"# :anchor: kedge - Kubernetes Edge Proxy\n\n[![Travis Build](https://travis-ci.org/improbable-eng/kedge.svg?branch=master)](https://travis-ci.org/improbable-eng/kedge)\n[![Go Report Card](https://goreportcard.com/badge/github.com/improbable-eng/kedge)](https://goreportcard.com/report/github.com/improbable-eng/kedge)\n[![Apache 2.0 License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)\n\n \u003e [kedge](https://www.merriam-webster.com/dictionary/kedge) (verb) to move (a ship) by means of a line attached to a small anchor dropped at the distance and in the direction desired\n\nProxy for gRPC, HTTP (1.1/2) microservices with the aim to make cross-cluster\nmicroservice communication simple to set up, and secure. All you need for it to work is: \nTLS client certificates in your service pods and special dialer, a single L4 load balanced IP address in each cluster, and a `kedge` server behind it.\n\n## The pain of cross-cluster Kubernetes communication\n\nKubernetes is great, if you have one cluster. If you want to have two or more, you need more advanced configuration. \nThis project stems from the frustration of setting up communication between two K8S clusters. This requires a couple of things:\n - cross-cluster networking - usually a complex process of setting up and maintaining IPSec bridges\n - configuration of routing rules - each cluster needs to know about each other cluster's 3 (!) network ranges: \n host, pod and internal-service networks\n - providing federated service discovery - either through the alpha-grade \n [K8S Federation](https://kubernetes.io/docs/concepts/cluster-administration/federation/) or [CoreDNS](https://github.com/coredns/coredns) stub zones\n\nAll these are subject to subtle interplays between routes, `iptables` rules, DNS packets and MTU limits of IPSec tunnels, \nwhich would make even a seasoned network engineer go gray.\n\nAt the same time, none of the existing service meshes or networking overlays provide an easy fix for this.\n\n## Kedge Design\n\nKedge is a reverse/forward proxy for gRPC and HTTP traffic. \n\nIt uses a concept of *backends* (see [gRPC](proto/kedge/config/grpc/backends/backend.proto), [HTTP](proto/kedge/config/http/backends/backend.proto)) \nthat map onto K8S [`Services`](https://kubernetes.io/docs/user-guide/services/). These define load balancing policies, \nmiddleware used for calls, and resolution. The backends have \"warm\" connections ready to receive inbound requests.\n\nThe inbound requests are directed to *backends* based on *routes* (see [gRPC](proto/kedge/config/grpc/routes/routes.proto), \n[HTTP](proto/kedge/config/grpc/routes/routes.proto)). These match onto requests based on host, paths (services), headers (metadata). \nThey also specify authorization requirements for the route to be taken.\n\nKedge can be accessed then: \n\n### Using native kedge http.Client inside caller library\n\nFollowing diagram shows cross-cluster POD to POD communication using kEdge dialer.\n\n![Kedge Cert Routing](./docs/kedge_native_dialer_certs.png)\n\n### Using Winch (local proxy to kedges)\n\nFollowing diagram shows the routing done by forward proxy called [winch (client)](docs/winch.md). In this example \nkedge OIDC auth is enabled to support corp use cases (per backend access controlled by permissions stored in custom IDToked claim). \nIt can be also switched to just client certificate verification as in the diagram above.\n\nNOTE: Any auth which is required by Service B / Pod B needs to configured on winch due to clients blocking sending auth headers via\n plain HTTP, even over local network (e.g kubectl). \n\n![Kedge Winch Routing](./docs/kedge_winch_oidc.png)\n\n## Usage\n\nKedge package is using [Go modules](https://github.com/golang/go/wiki/Modules) for vendoring.\n\nPlease see \n* the [kedge](docs/kedge.md) for an actual guide.\n* the [winch (client)](docs/winch.md) for a local forward proxy targeting kedge.\n* [end-to-end tests package](pkg/e2e) for example on-button usage of winch + kedge.\n## Status\n\nThe project is still in beta state, however heavily tested and used on prod clusters.\nFor status, see [CHANGELOG](CHANGELOG.md)\n\n## Wishlist\n\nSee [Feature / Improvement issues](https://github.com/improbable-eng/kedge/issues?q=is%3Aopen+is%3Aissue+label%3A%22feature+%2F+improvement%22) for currently wanted features and improvements.\n\n## License\n\n`kedge` is released under the Apache 2.0 license. See [LICENSE.txt](LICENSE.txt).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimprobable-eng%2Fkedge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimprobable-eng%2Fkedge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimprobable-eng%2Fkedge/lists"}