From c927da00e07ce631fb6fa1baa4ebcffe47c08682 Mon Sep 17 00:00:00 2001
From: mahjonp <junpeng.man@gmail.com>
Date: Wed, 1 Jun 2022 00:26:53 +0800
Subject: [PATCH] Support cilium ip-masq-agent configuration (#8893)
* fix deploy Cilium with eBPF-based Masquerading failed
Signed-off-by: mahjonp <junpeng.man@gmail.com>
* forget to add the enable-ip-masq-agent flag
Signed-off-by: mahjonp <junpeng.man@gmail.com>
---
roles/network_plugin/cilium/defaults/main.yml | 23 +++++++++++++++++++
.../cilium/templates/cilium/config.yml.j2 | 20 ++++++++++++++++
.../cilium/templates/cilium/ds.yml.j2 | 13 +++++++++++
3 files changed, 56 insertions(+)
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index 867cd9a87..294b0b0ea 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -99,6 +99,29 @@ cilium_ipsec_node_encryption: "false"
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
cilium_wireguard_userspace_fallback: "false"
+# IP Masquerade Agent
+# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
+# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
+cilium_ip_masq_agent_enable: false
+### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
+cilium_non_masquerade_cidrs:
+ - 10.0.0.0/8
+ - 172.16.0.0/12
+ - 192.168.0.0/16
+ - 100.64.0.0/10
+ - 192.0.0.0/24
+ - 192.0.2.0/24
+ - 192.88.99.0/24
+ - 198.18.0.0/15
+ - 198.51.100.0/24
+ - 203.0.113.0/24
+ - 240.0.0.0/4
+### Indicates whether to masquerade traffic to the link local prefix.
+### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
+cilium_masq_link_local: false
+### A time interval at which the agent attempts to reload config from disk
+cilium_ip_masq_resync_interval: 60s
+
# Hubble
### Enable Hubble without install
cilium_enable_hubble: false
diff --git a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
index 09d3dbfbc..8431d7e27 100644
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@@ -206,6 +206,9 @@ data:
{% endif %}
{% endif %}
+ # IP Masquerade Agent
+ enable-ip-masq-agent: "{{ cilium_ip_masq_agent_enable }}"
+
{% for key, value in cilium_config_extra_vars.items() %}
{{ key }}: "{{ value }}"
{% endfor %}
@@ -228,3 +231,20 @@ data:
{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
ipam: "{{ cilium_ipam_mode }}"
{% endif %}
+
+{% if cilium_ip_masq_agent_enable %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: ip-masq-agent
+ namespace: kube-system
+data:
+ config: |
+ nonMasqueradeCIDRs:
+{% for cidr in cilium_non_masquerade_cidrs %}
+ - {{ cidr }}
+{% endfor %}
+ masqLinkLocal: {{ cilium_masq_link_local|bool }}
+ resyncInterval: "{{ cilium_ip_masq_resync_interval }}"
+{% endif %}
diff --git a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
index a7ff207a2..7af6bcb50 100644
--- a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
@@ -186,6 +186,11 @@ spec:
- mountPath: /tmp/cilium/config-map
name: cilium-config-path
readOnly: true
+{% if not cilium_ip_masq_agent_enable %}
+ - name: ip-masq-agent
+ mountPath: /etc/config
+ readOnly: true
+{% endif %}
# Needed to be able to load kernel modules
- mountPath: /lib/modules
name: lib-modules
@@ -365,6 +370,14 @@ spec:
- configMap:
name: cilium-config
name: cilium-config-path
+{% if not cilium_ip_masq_agent_enable %}
+ - configMap:
+ name: ip-masq-agent
+ items:
+ - key: config
+ path: ip-masq-agent
+ name: ip-masq-agent
+{% endif %}
{% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
- name: cilium-ipsec-secrets
secret:
--
GitLab