From c927da00e07ce631fb6fa1baa4ebcffe47c08682 Mon Sep 17 00:00:00 2001 From: mahjonp Date: Wed, 1 Jun 2022 00:26:53 +0800 Subject: [PATCH] Support cilium ip-masq-agent configuration (#8893) * fix deploy Cilium with eBPF-based Masquerading failed Signed-off-by: mahjonp * forget to add the enable-ip-masq-agent flag Signed-off-by: mahjonp --- roles/network_plugin/cilium/defaults/main.yml | 23 +++++++++++++++++++ .../cilium/templates/cilium/config.yml.j2 | 20 ++++++++++++++++ .../cilium/templates/cilium/ds.yml.j2 | 13 +++++++++++ 3 files changed, 56 insertions(+) diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml index 867cd9a87..294b0b0ea 100644 --- a/roles/network_plugin/cilium/defaults/main.yml +++ b/roles/network_plugin/cilium/defaults/main.yml @@ -99,6 +99,29 @@ cilium_ipsec_node_encryption: "false" # This option is only effective when `cilium_encryption_type` is set to `wireguard`. cilium_wireguard_userspace_fallback: "false" +# IP Masquerade Agent +# https://docs.cilium.io/en/stable/concepts/networking/masquerading/ +# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded +cilium_ip_masq_agent_enable: false +### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded +cilium_non_masquerade_cidrs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 100.64.0.0/10 + - 192.0.0.0/24 + - 192.0.2.0/24 + - 192.88.99.0/24 + - 198.18.0.0/15 + - 198.51.100.0/24 + - 203.0.113.0/24 + - 240.0.0.0/4 +### Indicates whether to masquerade traffic to the link local prefix. +### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list. +cilium_masq_link_local: false +### A time interval at which the agent attempts to reload config from disk +cilium_ip_masq_resync_interval: 60s + # Hubble ### Enable Hubble without install cilium_enable_hubble: false diff --git a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 b/roles/network_plugin/cilium/templates/cilium/config.yml.j2 index 09d3dbfbc..8431d7e27 100644 --- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2 @@ -206,6 +206,9 @@ data: {% endif %} {% endif %} + # IP Masquerade Agent + enable-ip-masq-agent: "{{ cilium_ip_masq_agent_enable }}" + {% for key, value in cilium_config_extra_vars.items() %} {{ key }}: "{{ value }}" {% endfor %} @@ -228,3 +231,20 @@ data: {% if cilium_version | regex_replace('v') is version('1.9', '>=') %} ipam: "{{ cilium_ipam_mode }}" {% endif %} + +{% if cilium_ip_masq_agent_enable %} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ip-masq-agent + namespace: kube-system +data: + config: | + nonMasqueradeCIDRs: +{% for cidr in cilium_non_masquerade_cidrs %} + - {{ cidr }} +{% endfor %} + masqLinkLocal: {{ cilium_masq_link_local|bool }} + resyncInterval: "{{ cilium_ip_masq_resync_interval }}" +{% endif %} diff --git a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2 index a7ff207a2..7af6bcb50 100644 --- a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2 @@ -186,6 +186,11 @@ spec: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true +{% if not cilium_ip_masq_agent_enable %} + - name: ip-masq-agent + mountPath: /etc/config + readOnly: true +{% endif %} # Needed to be able to load kernel modules - mountPath: /lib/modules name: lib-modules @@ -365,6 +370,14 @@ spec: - configMap: name: cilium-config name: cilium-config-path +{% if not cilium_ip_masq_agent_enable %} + - configMap: + name: ip-masq-agent + items: + - key: config + path: ip-masq-agent + name: ip-masq-agent +{% endif %} {% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %} - name: cilium-ipsec-secrets secret: