Improve VPN Shoot IP forwarding solution for Calico v3.0

[marwinski]

VPN Shoot does not forward packages received via the tunnel device to other pods. The reason for this is simply that IP Forwarding is not turned on.

I found the following in the release notes for Calico:

Host endpoint policies can be applied to forwarded traffic https://docs.projectcalico.org/v3.0/releases/

The new ApplyOnForward flag allows you to specify if a host endpoint policy should apply to forwarded traffic or not. Forwarded traffic includes traffic forwarded between host endpoints and traffic forwarded between a host endpoint and a workload endpoint on the same host. Refer to Using Calico to secure host interfaces for more details.

This will probably do the trick. I have done a simple

echo 1 > /proc/sys/net/ipv4/ip_forward

which also did the trick

[rfranzke]

We decided to enable IP forwarding for the vpn-shoot container manually for now (see 6fb8294).
Moreover, due to security reasons, we do not want to globally allow IP forwarding but only for our vpn container.

Actually, we would prefer a solution based on Calico's policy CRDs (https://docs.projectcalico.org/v3.0/reference/calicoctl/resources/globalnetworkpolicy). We need to further invest in a deeper understanding of how calico works internally and how we could achieve that.

[vlerenc]

@marwinski Can we do something concrete here?

[marwinski]

I am not sure on what the intention of @rfranzke and I don't see how those can help in that particular case.

[vlerenc]

@marwinski @zanetworker @DockToFuture @mvladev Please forgive brevity while grooming the backlog. Issue still relevant in the context of the new VPN solution or would you like to close it (it is rotten)?

[zanetworker]

Closing since we already enable ip-forwarding on the VPN-shoot.

https://github.com/gardener/vpn/blame/70923b7df6726fcb413b6e441f8526588896fd66/shoot/network-connection.sh#L90