Move to multiple dynamic range ports

[WeetA34]

Hi Mark,

Our game server uses 4 passthrough ports:

• 1 game port
• 3 tools ports
  I would like to have the game port opened to the whole universe but not the 3 tools ports for which i want to allow only some sources

Proposal:
I imagine we can move port range (gameservers.minPort and gameservers.maxPort) to a list of port ranges and choose the port range to use in the game server ports definition.
So, we can define a different firewall rule for each range.

ie.
install values:

...
gameservers:
  namespaces: ["default"]
  ranges:
  - name: game
    minPort: 7000
    maxPort: 7099
  - name: tools
    minPort: 7100
    maxPort: 7199

and gamerserver definition:

apiVersion: "agones.dev/v1"
kind: GameServer
...
spec:
  # if there is more than one container, specify which one is the game server
  container: example-server
  # Array of ports that can be exposed as direct connections to the game server container
  ports:
  - name: default
    range: game
    portPolicy: Passthrough
    protocol: UDP
  - name: tool1
    range: tools
    portPolicy: Passthrough
    protocol: TCP
  - name: tool2
    range: tools
    portPolicy: Passthrough
    protocol: TCP
  - name: tool3
    range: tools
    portPolicy: Passthrough
    protocol: TCP
...

Workaround:
If the game port is UDP and Tools ports are TCP, you can only filter sources for TCP destinations.
But it's not possible if you want to apply different firewall rules for the same protocol

Thank you
Regards
Stéphane

[markmandel]

Interesting!

Curious - I assume the systems that are connecting on the "tooling" ports are running outside the cluster that your game servers are running on?

So some kind of scraping/pulling system for each game server?

Is that correct?

[WeetA34]

Hi Mark,

For now, these ports are mainly used for debugging purpose and must be filtered to only get access from our network.

Regards

[markmandel]

For now, these ports are mainly used for debugging purpose and must be filtered to only get access from our network.

Understood - I'm just wondering what the connection pattern is. If we can pull the tooling into the same cluster as the game servers (or maybe run some kind of kubectl based tunnelling, if it's at development time only), then the problem might be solveable another way.

[WeetA34]

In fact, developers don't have access to the cluster. Right now, game servers are in Gamelift.
I'm not sure they can easily work with kubectl port forward for remote imgui and other tool like their inter process connect tool and debug draw infos which are pulled directly from the client.
If we don't want to change their work flow if we move to Agones, we should be able to access these ports directly without any tunneling tricks.

[markmandel]

Right - you would want to setup some kind of VPC to an internal corporate network type situation so you could lock down access to your specific network.

I'm guessing this would also be for both for development, but then also for production debugging?

[WeetA34]

We perform filtering with security group. Connection is from our internal network to these gameserver tools ports.
Yep, it's for development for sure and for production if the issue can't be reproduced in a development deployment.

[roberthbailey]

@markmandel - assuming that we did want to do this, is there a way to do it that is backwards compatible?

[markmandel]

@markmandel - assuming that we did want to do this, is there a way to do it that is backwards compatible?

Probably have the helm configured range be the default range, and then have an ability like above to be able to configure extra ranges for each port. The things would be backward compatible.

It might be good to have a set of port ranges configured thought from the beginning (new CRD? Or new helm config?), rather than allowing any game server to specify any range they want -- it would be tricky to track an arbitrary range per GameServer.

[WeetA34]

It's probably more complicated (or at least longer) than the one hour video you did for moving gameservers from one port to multi-ports @markmandel 😄

I guess you can keep helm gameservers.minPort and gameservers.maxPort values for backward compatibility and assign them to a "default" range in the range list.
This "default" range would be used in gameserver definition if range is not set.

[WeetA34]

It might be good to have a set of port ranges configured thought from the beginning (new CRD? Or new helm config?), rather than allowing any game server to specify any range they want -- it would be tricky to track an arbitrary range per GameServer.

Yep, that's my proposal: having a set of port ranges

[markmandel]

Not sure I like helm for this, because the config layer is hard to define/validate - but I don't think there's a better option?

I would probably have something like:

gameservers:
  minPort: 7000
  maxPort: 7000
  alternatePortRanges:
    - name: debug
      min: 1000
      max: 2000
    - name: health
      min: 4000
      max: 5000

Not quite sold on "alternatePortRanges" as a name, but you get the drift. "namedPortRanges" ?

Which is similar to what you have above - but gameservers.minPort and gameServers.maxPort remain the default (and default would be a keyword name for non-assigned ports in the GameServer.

So we could validate them, and ensure there are no overlapping port ranges, as well as maintaining backward compatibility.

If there are no overlapping ranges, this also means you could have one PortAllocator per range name, and it becomes quite easy to manage.

Then we could do the same as you have above, where you assign the port range by name.

Howzat?

Update:

WHAAAT - Helm 3 has can have a VALIDATION SCHEMA???
https://austindewey.com/2020/06/13/helm-tricks-input-validation-with-values-schema-json/ 🤯

Ignore my desire to not use helm.

[WeetA34]

Hi Mark,
i don't know if you were waiting something else from me.
You're proposal sounds good.
Thank you

[markmandel]

@WeetA34 not waiting on anything, just prioritising other work.

Since this is of import to you, would you be interested in working on it?