Exposed gameserver ports

[svetch]

Hello, we have begun the process of migrating our legacy servers to Kubernetes using Shulker. However, we've noticed that the game server ports are being exposed to the host. Could you explain why this is happening and provide guidance on how to prevent the game server ports from being exposed?

[jeremylvln]

Hi!

Really good question. It is actually an Agones behavior (see here).

It's a bit unusual I agree with you. It is mainly because in most games, users connects directly to the servers and are not routed through a proxy. So having a dedicated port on the host avoids networks hops and so latency and overload on Kubernetes. Here we are not interested in this fast path, but I don't think we have control on that (but if we do I really should disable that!).

One way of "solving" this is to have a "private" Kubernetes Cluster by having your game server nodes not exposed through the Internet directly (or with firewall rules). But I can understand that all clusters cannot be private especially if you are provisioning your own without cloud providers :/

[svetch]

Our scenario is somewhat complex, as the node's IP in our case is not internal; rather, it is the node's public IP. This is because the worker nodes (on bare metal) are not on the same physical network as the control plane (which is on the cloud).

[jeremylvln]

Oh I see, this gives way more sense, thank you.

I've reverted my fix (that's why there was a quick release some hours ago) for to unlock most of the users (including me lol). But it can't work for you, there is no way you want the ports to be bound to the node public IP. There is an alternative that was suggested by an Agones contributor, but it needs a bit of work on my end and it was quite a busy week for me. I'll try to work on that this week-end.

[svetch]

Our plan is to complete the migration of our Velocity proxy and the lobbies by the end of this month. Only after we start migrating another around 10 types of servers. So we have time for this fix. Thank you for your support!

I've discovered another bug related to this: when attempting to run multiple lobbies, such as setting replicas to 3, only one lobby starts due to this error (from argocd pipeline):

one or more objects failed to apply, reason: Operation cannot be fulfilled on minecraftserverfleets.shulkermc.io "lobby": the object has 
been modified; please apply your changes to the latest version and try again,admission webhook "validations.agones.dev" denied the 
request: GameServer.agones.dev "lobby-p4l2h-fw499" is invalid: spec.ports[0].hostPort: Forbidden: HostPort cannot be specified with a 
Dynamic or Passthrough PortPolicy (retried 5 times).

I hope autoscaling functions properly; I haven't tested it yet, only attempted to increase the replica count of MinecraftServerFleet.

[jeremylvln]

I have done an implementation that should fix the issue. It's merged, and I started a release. Let me know if everything is okay for you and your use cases.

Now, no ports will be bound, and Shulker will use headless internal DNS to route the proxies to the servers.

I'm not a big fan of this solution as it will load the DNS servers, but it's acceptable until I find something better.

[svetch]

Thank you for your work and your availability!