kubernetes/standlone: portforwarding for local services

11 files changed, 79 insertions, 19 deletions

diff --git a/inventory/host_vars/sk-cloudio/vars.yml b/inventory/host_vars/sk-cloudio/vars.yml
index 00bcdfde..45fd8cbd 100644
--- a/inventory/host_vars/sk-cloudio/vars.yml
+++ b/inventory/host_vars/sk-cloudio/vars.yml
@@ -60,14 +60,14 @@ kubernetes_standalone_max_pods: 100
 kubernetes_standalone_pod_cidr: 192.168.255.0/24
 kubernetes_standalone_cni_variant: with-portmap
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
-
+kubernetes_standalone_local_services_tcp:
+  - 25
 
 postfix_simple_mynetworks:
   - "127.0.0.0/8"
   - "[::ffff:127.0.0.0]/104"
   - "[::1]/128"
   - "{{ kubernetes_standalone_pod_cidr }}"
-postfix_simple_inet_interfaces:
-  - "127.0.0.1"
-  - "{{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }}"
+
+
+acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml
index 3e63fb9d..d0b6097b 100644
--- a/inventory/host_vars/sk-tomnext-nc.yml
+++ b/inventory/host_vars/sk-tomnext-nc.yml
@@ -77,18 +77,18 @@ kubernetes_standalone_max_pods: 15
 kubernetes_standalone_pod_cidr: 192.168.255.0/24
 kubernetes_standalone_cni_variant: with-portmap
 
-
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
-nginx_server_names_hash_bucket_size: 64
+kubernetes_standalone_local_services_tcp:
+  - 25
 
 postfix_simple_mynetworks:
   - "127.0.0.0/8"
   - "[::ffff:127.0.0.0]/104"
   - "[::1]/128"
   - "{{ kubernetes_standalone_pod_cidr }}"
-postfix_simple_inet_interfaces:
-  - "127.0.0.1"
-  - "{{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }}"
+
+
+acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+nginx_server_names_hash_bucket_size: 64
 
 
 nextcloud_zfs:
diff --git a/roles/kubernetes/base/tasks/cri_containerd.yml b/roles/kubernetes/base/tasks/cri_containerd.yml
index 549ccae0..66398ef2 100644
--- a/roles/kubernetes/base/tasks/cri_containerd.yml
+++ b/roles/kubernetes/base/tasks/cri_containerd.yml
@@ -3,7 +3,7 @@
   assert:
     msg: "The variable kubernetes_cri_socket is not configured correctly. You might need to move your host to the group kubernetes-cluster or standalone-kubelet!"
     that:
-      -  kubernetes_cri_socket == "unix:///run/containerd/containerd.sock"
+    - kubernetes_cri_socket == "unix:///run/containerd/containerd.sock"
 
 - name: install containerd
   include_role:
diff --git a/roles/kubernetes/base/tasks/cri_docker.yml b/roles/kubernetes/base/tasks/cri_docker.yml
index 0c400e2c..b5024163 100644
--- a/roles/kubernetes/base/tasks/cri_docker.yml
+++ b/roles/kubernetes/base/tasks/cri_docker.yml
@@ -3,7 +3,7 @@
   assert:
     msg: "The variable kubernetes_cri_socket is not configured correctly. You might need to move your host to the group kubernetes-cluster or standalone-kubelet!"
     that:
-      -  not kubernetes_cri_socket
+    - not kubernetes_cri_socket
 
 - name: create systemd snippet directory
   file:
diff --git a/roles/kubernetes/base/tasks/main.yml b/roles/kubernetes/base/tasks/main.yml
index da5f7408..549bfac7 100644
--- a/roles/kubernetes/base/tasks/main.yml
+++ b/roles/kubernetes/base/tasks/main.yml
@@ -17,9 +17,9 @@
 - name: install kubelet and common packages
   apt:
     name:
-      - bridge-utils
-      - cri-tools
-      - "kubelet={{ kubernetes_version }}-00"
+    - bridge-utils
+    - cri-tools
+    - "kubelet={{ kubernetes_version }}-00"
     state: present
     force: yes
 
@@ -30,8 +30,8 @@
 
 - name: add crictl config for shells
   loop:
-    - zsh
-    - bash
+  - zsh
+  - bash
   blockinfile:
     path: "/root/.{{ item }}rc"
     create: yes
diff --git a/roles/kubernetes/standalone/base/defaults/main.yml b/roles/kubernetes/standalone/base/defaults/main.yml
index b0c14b11..3f6b52bb 100644
--- a/roles/kubernetes/standalone/base/defaults/main.yml
+++ b/roles/kubernetes/standalone/base/defaults/main.yml
@@ -12,3 +12,6 @@ kubernetes_standalone_pod_cidr: 192.168.255.0/24
 kubernetes_standalone_resolv_conf: /etc/resolv.conf
 
 kubernetes_standalone_cni_variant: with-portmap
+
+kubernetes_standalone_local_services_tcp: []
+kubernetes_standalone_local_services_udp: []
diff --git a/roles/kubernetes/standalone/base/handlers/main.yml b/roles/kubernetes/standalone/base/handlers/main.yml
index 26438551..8f5d5232 100644
--- a/roles/kubernetes/standalone/base/handlers/main.yml
+++ b/roles/kubernetes/standalone/base/handlers/main.yml
@@ -4,3 +4,9 @@
     name: kubelet.service
     state: restarted
     daemon_reload: yes
+
+- name: restart local-services
+  systemd:
+    name: kube-standalone-local-services.service
+    state: restarted
+    daemon_reload: yes
diff --git a/roles/kubernetes/standalone/base/tasks/main.yml b/roles/kubernetes/standalone/base/tasks/main.yml
index 241c3136..d7f47ff4 100644
--- a/roles/kubernetes/standalone/base/tasks/main.yml
+++ b/roles/kubernetes/standalone/base/tasks/main.yml
@@ -32,3 +32,23 @@
   template:
     src: "cni-{{ kubernetes_standalone_cni_variant }}.conflist.j2"
     dest: /etc/cni/net.d/kube-standalone.conflist
+
+- name: install local-services iptables script
+  template:
+    src: kube-standalone-local-services.sh.j2
+    dest: /usr/local/sbin/kube-standalone-local-services.sh
+    mode: 0755
+  notify: restart local-services
+
+- name: install local-services systemd unit
+  template:
+    src: kube-standalone-local-services.service.j2
+    dest: /etc/systemd/system/kube-standalone-local-services.service
+  notify: restart local-services
+
+- name: make sure local-services is enabled and started
+  systemd:
+    daemon_reload: yes
+    name: kube-standalone-local-services.service
+    state: started
+    enabled: yes
diff --git a/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.service.j2 b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.service.j2
new file mode 100644
index 00000000..ccdbfcc9
--- /dev/null
+++ b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=Install iptables rules for local services avaialbe to standalone kubelet pods
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/kube-standalone-local-services.sh
+RemainAfterExit=true
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.sh.j2 b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.sh.j2
new file mode 100644
index 00000000..d29e6a34
--- /dev/null
+++ b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.sh.j2
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+iptables -t nat -N kube-local-services > /dev/null 2>&1
+iptables -t nat -F kube-local-services
+
+{% if kubernetes_standalone_local_services_tcp | length > 0 %}
+iptables -t nat -A kube-local-services -p tcp --match multiport --dports {{ kubernetes_standalone_local_services_tcp | join(',') }} -i kube-bridge -d {{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }} -j DNAT --to-destination 127.0.0.1
+{% endif %}
+{% if kubernetes_standalone_local_services_udp | length > 0 %}
+iptables -t nat -A kube-local-services -p udp --match multiport --dports {{ kubernetes_standalone_local_services_udp | join(',') }} -i kube-bridge -d {{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }} -j DNAT --to-destination 127.0.0.1
+{% endif %}
+
+iptables -t nat -C PREROUTING -j kube-local-services > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+  iptables -t nat -I PREROUTING 1 -j kube-local-services
+fi
+echo 1 > /proc/sys/net/ipv4/conf/kube-bridge/route_localnet
+
+exit 0
diff --git a/roles/postfix/simple/defaults/main.yml b/roles/postfix/simple/defaults/main.yml
index 009f1239..f849b61b 100644
--- a/roles/postfix/simple/defaults/main.yml
+++ b/roles/postfix/simple/defaults/main.yml
@@ -10,7 +10,7 @@ postfix_simple_mynetworks:
   - "[::1]/128"
 
 postfix_simple_inet_interfaces:
-  - "all"
+  - "loopback-only"
 
 postfix_simple_inet_protocols:
   - "all"