diff options
Diffstat (limited to 'roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2')
-rw-r--r-- | roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 new file mode 100644 index 00000000..d8153102 --- /dev/null +++ b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 @@ -0,0 +1,55 @@ +#!/bin/bash + +set -e + +CONF_D="/var/lib/kubeguard/" + +INET_IF="{{ ansible_default_ipv4.interface }}" + +POD_NET_CIDR="{{ kubernetes.pod_ip_range }}" + +{% set br_net = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) -%} +BR_IF="kube-br0" +BR_IP="{{ br_net | ipaddr(1) | ipaddr('address') }}" +BR_IP_CIDR="{{ br_net | ipaddr(1) }}" +BR_NET_CIDR="{{ br_net }}" + +TUN_IF="kube-wg0" +TUN_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubeguard.node_index[inventory_hostname]) }}" + + +case "$1" in + up) + # bring up bridge for local pods + ip link add dev "$BR_IF" type bridge + ip addr add dev "$BR_IF" "$BR_IP_CIDR" + ip link set up dev "$BR_IF" + iptables -t nat -A POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE + modprobe br_netfilter + + # bring up wireguard tunnel to other nodes + ip link add dev "$TUN_IF" type wireguard + ip addr add dev "$TUN_IF" "$TUN_IP_CIDR" + wg set "$TUN_IF" listen-port {{ kubeguard_wireguard_port | default(51820) }} private-key "$CONF_D/$TUN_IF.privatekey" + ip link set up dev "$TUN_IF" + + # make pods and service IPs reachable + # !!! use IP of bridge as source so we don't produce martians if direct-zones are involved!!! + ip route add "$POD_NET_CIDR" dev "$TUN_IF" src "$BR_IP" + ;; + down) + # bring down wireguard tunnel to other nodes + ip route del "$POD_NET_CIDR" dev "$TUN_IF" + ip link del dev "$TUN_IF" + + # bring down bridge for local pods + iptables -t nat -D POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE + ip link del dev "$BR_IF" + ;; + *) + echo "usage: $0 (up|down)" + exit 1 + ;; +esac + +exit 0 |