mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Merge pull request #55178 from dnardo/gke-setup
Automatic merge from submit-queue (batch tested with PRs 53866, 54852, 55178, 55185, 55130). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Set the NON_MASQUERADE_CIDR to 0/0 by default in GCE/GKE This disables masquerade rules setup by the kubelet. Additionally this adds masquerade rules based on NON_MASQUERADE_CIDR being set to 0/0. **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note Add masquerading rules by default to GCE/GKE ```
This commit is contained in:
commit
ce90b54c0f
@ -290,6 +290,8 @@ OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"
|
||||
# Network Policy plugin specific settings.
|
||||
NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico
|
||||
|
||||
NON_MASQUERADE_CIDR="0.0.0.0/0"
|
||||
|
||||
# How should the kubelet configure hairpin mode?
|
||||
HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none
|
||||
# Optional: if set to true, kube-up will configure the cluster to run e2e tests.
|
||||
|
@ -64,8 +64,8 @@ function config-ip-firewall {
|
||||
# Flush iptables nat table
|
||||
iptables -t nat -F || true
|
||||
|
||||
if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" && "${KUBERNETES_MASTER:-}" == false ]]; then
|
||||
echo "Add rules for ip masquerade"
|
||||
echo "Add rules for ip masquerade"
|
||||
if [[ "${NON_MASQUERADE_CIDR:-}" == "0.0.0.0/0" ]]; then
|
||||
iptables -t nat -N IP-MASQ
|
||||
iptables -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
|
||||
iptables -t nat -A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||
|
Loading…
Reference in New Issue
Block a user