From 8aef128640524989b3e3aa2e7588e068fd5240fa Mon Sep 17 00:00:00 2001 From: Daniel Nardo Date: Mon, 6 Nov 2017 10:01:55 -0800 Subject: [PATCH] Set the NON_MASQUERADE_CIDR to 0/0 by default in GCE/GKE which disables masquerade rules setup by the kubelet. Add masquerade rules based on NON_MASQUERADE_CIDR being set to 0/0. --- cluster/gce/config-default.sh | 2 ++ cluster/gce/gci/configure-helper.sh | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index b9fd230d4a6..3d95db434ec 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -290,6 +290,8 @@ OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" # Network Policy plugin specific settings. NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico +NON_MASQUERADE_CIDR="0.0.0.0/0" + # How should the kubelet configure hairpin mode? HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none # Optional: if set to true, kube-up will configure the cluster to run e2e tests. diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 8861eab17f5..27858dd898a 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -64,8 +64,8 @@ function config-ip-firewall { # Flush iptables nat table iptables -t nat -F || true - if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" && "${KUBERNETES_MASTER:-}" == false ]]; then - echo "Add rules for ip masquerade" + echo "Add rules for ip masquerade" + if [[ "${NON_MASQUERADE_CIDR:-}" == "0.0.0.0/0" ]]; then iptables -t nat -N IP-MASQ iptables -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ iptables -t nat -A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN