From fb0ee9d84a5d093ff55bb1efc79749188b6405b6 Mon Sep 17 00:00:00 2001
From: Aleksandr Didenko <adidenko@mirantis.com>
Date: Mon, 3 Oct 2016 12:08:41 +0200
Subject: [PATCH] Add support for --masquerade-all in kube-proxy

New boolean var `kube_proxy_masquerade_all` which enables/disables
`--masquerade-all` argument for kube-proxy.

Closes #524
---
 roles/kubernetes/node/defaults/main.yml                        | 3 +++
 .../kubernetes/node/templates/manifests/kube-proxy.manifest.j2 | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 94da756be..2c1738370 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -8,6 +8,9 @@ kube_resolv_conf: "/etc/resolv.conf"
 
 kube_proxy_mode: iptables
 
+# If using the pure iptables proxy, SNAT everything
+kube_proxy_masquerade_all: true
+
 # kube_api_runtime_config:
 #   - extensions/v1beta1/daemonsets=true
 #   - extensions/v1beta1/deployments=true
diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
index 296658cbd..f0c4bc211 100644
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@@ -18,6 +18,9 @@ spec:
 {% endif %}
     - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
     - --proxy-mode={{ kube_proxy_mode }}
+{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %}
+    - --masquerade-all
+{% endif %}
     securityContext:
       privileged: true
     volumeMounts:
-- 
GitLab