Merge pull request #55178 from dnardo/gke-setup

Automatic merge from submit-queue (batch tested with PRs 53866, 54852, 55178, 55185, 55130). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Set the NON_MASQUERADE_CIDR to 0/0 by default in GCE/GKE

This disables masquerade rules setup by the kubelet.  Additionally this adds masquerade rules based on NON_MASQUERADE_CIDR being set to 0/0.



**What this PR does / why we need it**:

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
Add masquerading rules by default to GCE/GKE
```
This commit is contained in:
Kubernetes Submit Queue 2017-11-06 22:20:31 -08:00 committed by GitHub
commit ce90b54c0f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 2 deletions

View File

@ -290,6 +290,8 @@ OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"
# Network Policy plugin specific settings.
NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico
NON_MASQUERADE_CIDR="0.0.0.0/0"
# How should the kubelet configure hairpin mode?
HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none
# Optional: if set to true, kube-up will configure the cluster to run e2e tests.

View File

@ -64,8 +64,8 @@ function config-ip-firewall {
# Flush iptables nat table
iptables -t nat -F || true
if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" && "${KUBERNETES_MASTER:-}" == false ]]; then
echo "Add rules for ip masquerade"
echo "Add rules for ip masquerade"
if [[ "${NON_MASQUERADE_CIDR:-}" == "0.0.0.0/0" ]]; then
iptables -t nat -N IP-MASQ
iptables -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
iptables -t nat -A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN