This server implements the ident protocol, as defined by RFC1413, which is mostly used by IRC servers to determine the 'identity' of an incoming IRC connection.
This implementation is supposed to run on production hosts which run containerd with containers whose outgoing connections NATed to the host's public IP address.
It responds with information about the namespace of the pod that originated the connection. If the namespace is a personal-$owner namespace, it responds with the owner of that namespace. Otherwise, it responds with kns-$namespace.
In addition, it has hardcoded special behaviour for when the pod terminating the connection is named appservice-irc-* and runs in the matrix namespace. If so, it performs an ident request to that pod on port 1113. This effectively integrates it with appservice-irc's integrated identd, and allows us to server correct identities for IRC connections.
.----------------------------------.
| k8s host |
|----------------------------------|
.-------------. | .-------------. |
| remote host | | | pod | |
|-------------| | ...... |-------------| |
| IRCd<:-:6697----:xxxx-:--< NAT <---:yyyy-:- IRC client | |
| identd-:--------. | '''''' | | |
'.............| | | ^ .-:->identd | |
| | | query | '-------------' |
| | | | |
'--:113-:-->identd- - - -' forward? |
| | |
| | query |
| v |
| ( containerd ) |
'----------------------------------'
In the above diagram, the remote hosts' identd client would query identd for information about the TCP connection xxxx,6697, which identd would attempt to resolve back into the pod by consulting the NAT table. After that, it can either return the pod's namespace information to identd, or (if the pod is an appservice-irc) forward the query to another identd running within the pod, this time asking for yyyy,6697, and passing that reponse to the remote identd client.
See //cluster/kube/lib/identd.libsonnet .