From 6df5dbbbb25c54b57b6d2cfbb275eee6ee84364c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 18 Oct 2020 23:41:09 +0200 Subject: kubernetes/standlone: portforwarding for local services --- inventory/host_vars/sk-cloudio/vars.yml | 10 +++++----- inventory/host_vars/sk-tomnext-nc.yml | 12 ++++++------ roles/kubernetes/base/tasks/cri_containerd.yml | 2 +- roles/kubernetes/base/tasks/cri_docker.yml | 2 +- roles/kubernetes/base/tasks/main.yml | 10 +++++----- roles/kubernetes/standalone/base/defaults/main.yml | 3 +++ roles/kubernetes/standalone/base/handlers/main.yml | 6 ++++++ roles/kubernetes/standalone/base/tasks/main.yml | 20 ++++++++++++++++++++ .../kube-standalone-local-services.service.j2 | 12 ++++++++++++ .../templates/kube-standalone-local-services.sh.j2 | 19 +++++++++++++++++++ roles/postfix/simple/defaults/main.yml | 2 +- 11 files changed, 79 insertions(+), 19 deletions(-) create mode 100644 roles/kubernetes/standalone/base/templates/kube-standalone-local-services.service.j2 create mode 100644 roles/kubernetes/standalone/base/templates/kube-standalone-local-services.sh.j2 diff --git a/inventory/host_vars/sk-cloudio/vars.yml b/inventory/host_vars/sk-cloudio/vars.yml index 00bcdfde..45fd8cbd 100644 --- a/inventory/host_vars/sk-cloudio/vars.yml +++ b/inventory/host_vars/sk-cloudio/vars.yml @@ -60,14 +60,14 @@ kubernetes_standalone_max_pods: 100 kubernetes_standalone_pod_cidr: 192.168.255.0/24 kubernetes_standalone_cni_variant: with-portmap -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" - +kubernetes_standalone_local_services_tcp: + - 25 postfix_simple_mynetworks: - "127.0.0.0/8" - "[::ffff:127.0.0.0]/104" - "[::1]/128" - "{{ kubernetes_standalone_pod_cidr }}" -postfix_simple_inet_interfaces: - - "127.0.0.1" - - "{{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }}" + + +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml index 3e63fb9d..d0b6097b 100644 --- a/inventory/host_vars/sk-tomnext-nc.yml +++ b/inventory/host_vars/sk-tomnext-nc.yml @@ -77,18 +77,18 @@ kubernetes_standalone_max_pods: 15 kubernetes_standalone_pod_cidr: 192.168.255.0/24 kubernetes_standalone_cni_variant: with-portmap - -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" -nginx_server_names_hash_bucket_size: 64 +kubernetes_standalone_local_services_tcp: + - 25 postfix_simple_mynetworks: - "127.0.0.0/8" - "[::ffff:127.0.0.0]/104" - "[::1]/128" - "{{ kubernetes_standalone_pod_cidr }}" -postfix_simple_inet_interfaces: - - "127.0.0.1" - - "{{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }}" + + +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +nginx_server_names_hash_bucket_size: 64 nextcloud_zfs: diff --git a/roles/kubernetes/base/tasks/cri_containerd.yml b/roles/kubernetes/base/tasks/cri_containerd.yml index 549ccae0..66398ef2 100644 --- a/roles/kubernetes/base/tasks/cri_containerd.yml +++ b/roles/kubernetes/base/tasks/cri_containerd.yml @@ -3,7 +3,7 @@ assert: msg: "The variable kubernetes_cri_socket is not configured correctly. You might need to move your host to the group kubernetes-cluster or standalone-kubelet!" that: - - kubernetes_cri_socket == "unix:///run/containerd/containerd.sock" + - kubernetes_cri_socket == "unix:///run/containerd/containerd.sock" - name: install containerd include_role: diff --git a/roles/kubernetes/base/tasks/cri_docker.yml b/roles/kubernetes/base/tasks/cri_docker.yml index 0c400e2c..b5024163 100644 --- a/roles/kubernetes/base/tasks/cri_docker.yml +++ b/roles/kubernetes/base/tasks/cri_docker.yml @@ -3,7 +3,7 @@ assert: msg: "The variable kubernetes_cri_socket is not configured correctly. You might need to move your host to the group kubernetes-cluster or standalone-kubelet!" that: - - not kubernetes_cri_socket + - not kubernetes_cri_socket - name: create systemd snippet directory file: diff --git a/roles/kubernetes/base/tasks/main.yml b/roles/kubernetes/base/tasks/main.yml index da5f7408..549bfac7 100644 --- a/roles/kubernetes/base/tasks/main.yml +++ b/roles/kubernetes/base/tasks/main.yml @@ -17,9 +17,9 @@ - name: install kubelet and common packages apt: name: - - bridge-utils - - cri-tools - - "kubelet={{ kubernetes_version }}-00" + - bridge-utils + - cri-tools + - "kubelet={{ kubernetes_version }}-00" state: present force: yes @@ -30,8 +30,8 @@ - name: add crictl config for shells loop: - - zsh - - bash + - zsh + - bash blockinfile: path: "/root/.{{ item }}rc" create: yes diff --git a/roles/kubernetes/standalone/base/defaults/main.yml b/roles/kubernetes/standalone/base/defaults/main.yml index b0c14b11..3f6b52bb 100644 --- a/roles/kubernetes/standalone/base/defaults/main.yml +++ b/roles/kubernetes/standalone/base/defaults/main.yml @@ -12,3 +12,6 @@ kubernetes_standalone_pod_cidr: 192.168.255.0/24 kubernetes_standalone_resolv_conf: /etc/resolv.conf kubernetes_standalone_cni_variant: with-portmap + +kubernetes_standalone_local_services_tcp: [] +kubernetes_standalone_local_services_udp: [] diff --git a/roles/kubernetes/standalone/base/handlers/main.yml b/roles/kubernetes/standalone/base/handlers/main.yml index 26438551..8f5d5232 100644 --- a/roles/kubernetes/standalone/base/handlers/main.yml +++ b/roles/kubernetes/standalone/base/handlers/main.yml @@ -4,3 +4,9 @@ name: kubelet.service state: restarted daemon_reload: yes + +- name: restart local-services + systemd: + name: kube-standalone-local-services.service + state: restarted + daemon_reload: yes diff --git a/roles/kubernetes/standalone/base/tasks/main.yml b/roles/kubernetes/standalone/base/tasks/main.yml index 241c3136..d7f47ff4 100644 --- a/roles/kubernetes/standalone/base/tasks/main.yml +++ b/roles/kubernetes/standalone/base/tasks/main.yml @@ -32,3 +32,23 @@ template: src: "cni-{{ kubernetes_standalone_cni_variant }}.conflist.j2" dest: /etc/cni/net.d/kube-standalone.conflist + +- name: install local-services iptables script + template: + src: kube-standalone-local-services.sh.j2 + dest: /usr/local/sbin/kube-standalone-local-services.sh + mode: 0755 + notify: restart local-services + +- name: install local-services systemd unit + template: + src: kube-standalone-local-services.service.j2 + dest: /etc/systemd/system/kube-standalone-local-services.service + notify: restart local-services + +- name: make sure local-services is enabled and started + systemd: + daemon_reload: yes + name: kube-standalone-local-services.service + state: started + enabled: yes diff --git a/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.service.j2 b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.service.j2 new file mode 100644 index 00000000..ccdbfcc9 --- /dev/null +++ b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Install iptables rules for local services avaialbe to standalone kubelet pods +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/local/sbin/kube-standalone-local-services.sh +RemainAfterExit=true +StandardOutput=journal + +[Install] +WantedBy=multi-user.target diff --git a/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.sh.j2 b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.sh.j2 new file mode 100644 index 00000000..d29e6a34 --- /dev/null +++ b/roles/kubernetes/standalone/base/templates/kube-standalone-local-services.sh.j2 @@ -0,0 +1,19 @@ +#!/bin/bash + +iptables -t nat -N kube-local-services > /dev/null 2>&1 +iptables -t nat -F kube-local-services + +{% if kubernetes_standalone_local_services_tcp | length > 0 %} +iptables -t nat -A kube-local-services -p tcp --match multiport --dports {{ kubernetes_standalone_local_services_tcp | join(',') }} -i kube-bridge -d {{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }} -j DNAT --to-destination 127.0.0.1 +{% endif %} +{% if kubernetes_standalone_local_services_udp | length > 0 %} +iptables -t nat -A kube-local-services -p udp --match multiport --dports {{ kubernetes_standalone_local_services_udp | join(',') }} -i kube-bridge -d {{ kubernetes_standalone_pod_cidr | ipaddr('1') | ipaddr('address') }} -j DNAT --to-destination 127.0.0.1 +{% endif %} + +iptables -t nat -C PREROUTING -j kube-local-services > /dev/null 2>&1 +if [ $? -ne 0 ]; then + iptables -t nat -I PREROUTING 1 -j kube-local-services +fi +echo 1 > /proc/sys/net/ipv4/conf/kube-bridge/route_localnet + +exit 0 diff --git a/roles/postfix/simple/defaults/main.yml b/roles/postfix/simple/defaults/main.yml index 009f1239..f849b61b 100644 --- a/roles/postfix/simple/defaults/main.yml +++ b/roles/postfix/simple/defaults/main.yml @@ -10,7 +10,7 @@ postfix_simple_mynetworks: - "[::1]/128" postfix_simple_inet_interfaces: - - "all" + - "loopback-only" postfix_simple_inet_protocols: - "all" -- cgit v1.2.3