blob: 7ac728711ce2a8bfb19d78c1c18dc239b9b311bd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
#!/bin/bash
set -e
CONF_D="/var/lib/kubeguard/"
INET_IF="{{ ansible_default_ipv4.interface }}"
POD_NET_CIDR="{{ kubernetes.pod_ip_range }}"
{% set br_net = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) -%}
BR_IF="kubeguard-br0"
BR_IP="{{ br_net | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}"
BR_IP_CIDR="{{ br_net | ansible.utils.ipaddr(1) }}"
BR_NET_CIDR="{{ br_net }}"
TUN_IF="kubeguard-wg0"
TUN_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ansible.utils.ipaddr(kubeguard.node_index[inventory_hostname]) }}"
case "$1" in
up)
# bring up bridge for local pods
ip link add dev "$BR_IF" type bridge
ip addr add dev "$BR_IF" "$BR_IP_CIDR"
ip link set up dev "$BR_IF"
iptables -t nat -A POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE
modprobe br_netfilter
# bring up wireguard tunnel to other nodes
ip link add dev "$TUN_IF" type wireguard
ip addr add dev "$TUN_IF" "$TUN_IP_CIDR"
wg set "$TUN_IF" listen-port {{ kubeguard_wireguard_port | default(51820) }} private-key "$CONF_D/$TUN_IF.privatekey"
ip link set up dev "$TUN_IF"
# make pods and service IPs reachable
# !!! use IP of bridge as source so we don't produce martians if direct-zones are involved!!!
ip route add "$POD_NET_CIDR" dev "$TUN_IF" src "$BR_IP"
;;
down)
# bring down wireguard tunnel to other nodes
ip route del "$POD_NET_CIDR" dev "$TUN_IF"
ip link del dev "$TUN_IF"
# bring down bridge for local pods
iptables -t nat -D POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE
ip link del dev "$BR_IF"
;;
*)
echo "usage: $0 (up|down)"
exit 1
;;
esac
exit 0
|
