Compute Service
The Compute Service manages containers running on the Kubernetes cluster. It provides a simplified interface for container lifecycle management.
Features
- Container Management: Create, start, stop, delete containers
- Custom Images: Launch containers from images stored in the internal registry (
registry.cloud.eddisonso.com) - SSH Access: Enable SSH access to containers
- Port Forwarding: Expose container ports via ingress rules
- Real-time Updates: WebSocket-based status updates
API Endpoints
Containers
| Method | Endpoint | Description |
|---|---|---|
| GET | /compute/containers | List user's containers |
| POST | /compute/containers | Create container |
| DELETE | /compute/containers/:id | Delete container |
| POST | /compute/containers/:id/start | Start container |
| POST | /compute/containers/:id/stop | Stop container |
Images
| Method | Endpoint | Description |
|---|---|---|
| GET | /compute/images | List available container images (builtin + registry) |
SSH Keys
| Method | Endpoint | Description |
|---|---|---|
| GET | /compute/ssh-keys | List SSH keys |
| POST | /compute/ssh-keys | Add SSH key |
| DELETE | /compute/ssh-keys/:id | Remove SSH key |
Container Access
| Method | Endpoint | Description |
|---|---|---|
| GET | /compute/containers/:id/ssh | Get SSH status |
| PUT | /compute/containers/:id/ssh | Toggle SSH access |
| GET | /compute/containers/:id/ingress | List ingress rules |
| POST | /compute/containers/:id/ingress | Add ingress rule |
| DELETE | /compute/containers/:id/ingress/:port | Remove ingress rule |
WebSocket
| Endpoint | Description |
|---|---|
/compute/ws | Real-time container status updates |
Container Lifecycle
WebSocket Updates
Real-time container status via WebSocket:
const ws = new WebSocket('wss://compute.cloud.eddisonso.com/compute/ws');
ws.onmessage = (event) => {
const msg = JSON.parse(event.data);
if (msg.type === 'containers') {
// Full container list
console.log(msg.data);
} else if (msg.type === 'container_status') {
// Status update for single container
console.log(msg.data.container_id, msg.data.status);
}
};
SSH Access
When SSH is enabled for a container:
- Container gets an SSH server sidecar
- User's SSH keys are injected
- Access via:
ssh <container-id>@compute.cloud.eddisonso.com
Ingress Rules
Expose container ports to the internet:
{
"port": 8080,
"target_port": 8080
}
This creates an ingress rule routing <container-id>.compute.cloud.eddisonso.com:<port> to the container's target port.
Network Isolation
Each compute container runs in its own Kubernetes namespace (compute-{user_id}-{container_id}) with a strict NetworkPolicy:
Egress (outbound):
- DNS (UDP:53) to cluster DNS only (
10.43.0.10/32) - Public internet (
0.0.0.0/0) excluding all private ranges (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12)
Ingress (inbound):
- Gateway traffic for SSH and HTTP access
- User-exposed ports from external IPs only
Compute containers cannot reach any internal cluster service (NATS, PostgreSQL, auth-service, etc.). All core services run in the core namespace, which has its own NetworkPolicy restricting ingress to intra-namespace traffic and gateway connections.
Database Schema
CREATE TABLE containers (
id TEXT PRIMARY KEY,
user_id INTEGER REFERENCES users(id),
name TEXT NOT NULL,
image TEXT NOT NULL,
status TEXT DEFAULT 'stopped',
ssh_enabled BOOLEAN DEFAULT false,
created_at TIMESTAMP DEFAULT NOW()
);
CREATE TABLE ingress_rules (
id SERIAL PRIMARY KEY,
container_id TEXT REFERENCES containers(id),
port INTEGER NOT NULL,
target_port INTEGER NOT NULL
);
CREATE TABLE ssh_keys (
id SERIAL PRIMARY KEY,
user_id INTEGER REFERENCES users(id),
name TEXT NOT NULL,
public_key TEXT NOT NULL
);