diff options
Diffstat (limited to 'roles/kubernetes-net/templates')
-rw-r--r-- | roles/kubernetes-net/templates/ifupdown.sh.j2 | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/roles/kubernetes-net/templates/ifupdown.sh.j2 b/roles/kubernetes-net/templates/ifupdown.sh.j2 new file mode 100644 index 00000000..71ec38af --- /dev/null +++ b/roles/kubernetes-net/templates/ifupdown.sh.j2 @@ -0,0 +1,50 @@ +#!/bin/bash + +set -e + +CONF_D="/var/lib/kubenet/" + +INET_IF="{{ ansible_default_ipv4.interface }}" + +POD_NET_CIDR="{{ kubernetes.pod_ip_range }}" + +BR_IF="kube-br0" +BR_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) | ipaddr(1) }}" +BR_NET_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) }}" + +TUN_IF="kube-wg0" +TUN_IP="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[inventory_hostname]) | ipaddr('address') }}" +TUN_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[inventory_hostname]) }}" + + +case "$1" in + up) + # bring up bridge for local pods + ip link add dev "$BR_IF" type bridge + ip addr add dev "$BR_IF" "$BR_IP_CIDR" + ip link set up dev "$BR_IF" + iptables -t nat -A POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE + + # bring up wireguard tunnel to other nodes + ip link add dev "$TUN_IF" type wireguard + ip addr add dev "$TUN_IF" "$TUN_IP_CIDR" + wg set "$TUN_IF" listen-port 51820 private-key "$CONF_D/$TUN_IF.privatekey" + ip link set up dev "$TUN_IF" + ip route add "$POD_NET_CIDR" dev "$TUN_IF" src "$TUN_IP" + ;; + down) + # bring down wireguard tunnel to other nodes + ip route del "$POD_NET_CIDR" dev "$TUN_IF" + ip link del dev "$TUN_IF" + + # bring down bridge for local pods + iptables -t nat -D POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE + ip link del dev "$BR_IF" + ;; + *) + echo "usage: $0 (up|down)" + exit 1 + ;; +esac + +exit 0 |