diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index 350be82403f264aee140b24175cb1757a4a6f5d6..65a8661d0d8317c0390f7992dee6e8afb8720ef1 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -71,6 +71,7 @@ kube_users:
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico
+
# Enable kubernetes network policies
enable_network_policy: false
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index 8cd120234e178c8521071ee2febd61ccf0a9ed98..d80ea02829a300440ec65ac643b458f81af719ac 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -3,7 +3,7 @@
nat_outgoing: true
# Use IP-over-IP encapsulation across hosts
-ipip: false
+ipip: true
ipip_mode: always # change to "cross-subnet" if you only want ipip encapsulation on traffic going across subnets
# Set to true if you want your calico cni binaries to overwrite the
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index cdd17ffa6c21644d8d9204156ef09d1e98d399ec..38d3ad5db69a6cbac39a37fdd10e7d5468c22d53 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -94,7 +94,7 @@
shell: >
echo '{
"kind": "ipPool",
- "spec": {"disabled": false, "ipip": {"enabled": {{ cloud_provider is defined or ipip }}, "mode": "{{ ipip_mode }}"},
+ "spec": {"disabled": false, "ipip": {"enabled": {{ ipip }}, "mode": "{{ ipip_mode }}"},
"nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}},
"apiVersion": "v1",
"metadata": {"cidr": "{{ kube_pods_subnet }}"}
@@ -110,8 +110,7 @@
run_once: true
set_fact:
ipip_arg: "--ipip"
- when: (legacy_calicoctl and
- cloud_provider is defined or ipip)
+ when: (legacy_calicoctl and ipip )
tags: facts
- name: Calico (old) | Define nat-outgoing pool argument