Support cilium ip-masq-agent configuration (kubernetes-sigs#8893)

* fix deploy Cilium with eBPF-based Masquerading failed Signed-off-by: mahjonp <[email protected]> * forget to add the enable-ip-masq-agent flag Signed-off-by: mahjonp <[email protected]>
southbridgeio · Jul 1, 2023 · 8c4e3cd · 8c4e3cd
1 parent cb7b558
commit 8c4e3cd
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
@@ -99,6 +99,29 @@ cilium_ipsec_node_encryption: "false"
 # This option is only effective when `cilium_encryption_type` is set to `wireguard`.
 cilium_wireguard_userspace_fallback: "false"
 
+# IP Masquerade Agent
+# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
+# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
+cilium_ip_masq_agent_enable: false
+### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
+cilium_non_masquerade_cidrs:
+  - 10.0.0.0/8
+  - 172.16.0.0/12
+  - 192.168.0.0/16
+  - 100.64.0.0/10
+  - 192.0.0.0/24
+  - 192.0.2.0/24
+  - 192.88.99.0/24
+  - 198.18.0.0/15
+  - 198.51.100.0/24
+  - 203.0.113.0/24
+  - 240.0.0.0/4
+### Indicates whether to masquerade traffic to the link local prefix.
+### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
+cilium_masq_link_local: false
+### A time interval at which the agent attempts to reload config from disk
+cilium_ip_masq_resync_interval: 60s
+
 # Hubble
 ### Enable Hubble without install
 cilium_enable_hubble: false

diff --git a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@@ -206,6 +206,9 @@ data:
 {% endif %}
 {% endif %}
 
+  # IP Masquerade Agent
+  enable-ip-masq-agent: "{{ cilium_ip_masq_agent_enable }}"
+
 {% for key, value in cilium_config_extra_vars.items() %}
   {{ key }}: "{{ value }}"
 {% endfor %}
@@ -228,3 +231,20 @@ data:
 {% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
   ipam: "{{ cilium_ipam_mode }}"
 {% endif %}
+
+{% if cilium_ip_masq_agent_enable %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ip-masq-agent
+  namespace: kube-system
+data:
+  config: |
+    nonMasqueradeCIDRs:
+{% for cidr in cilium_non_masquerade_cidrs %}
+      - {{ cidr }}
+{% endfor %}
+    masqLinkLocal: {{ cilium_masq_link_local|bool }}
+    resyncInterval: "{{ cilium_ip_masq_resync_interval }}"
+{% endif %}
diff --git a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
@@ -186,6 +186,11 @@ spec:
         - mountPath: /tmp/cilium/config-map
           name: cilium-config-path
           readOnly: true
+{% if not cilium_ip_masq_agent_enable %}
+        - name: ip-masq-agent
+          mountPath: /etc/config
+          readOnly: true
+{% endif %}
           # Needed to be able to load kernel modules
         - mountPath: /lib/modules
           name: lib-modules
@@ -365,6 +370,14 @@ spec:
       - configMap:
           name: cilium-config
         name: cilium-config-path
+{% if not cilium_ip_masq_agent_enable %}
+      - configMap:
+          name: ip-masq-agent
+          items:
+          - key: config
+            path: ip-masq-agent
+        name: ip-masq-agent
+{% endif %}
 {% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
       - name: cilium-ipsec-secrets
         secret: