summaryrefslogtreecommitdiff
path: root/roles/kubernetes/net/templates/ifupdown.sh.j2
blob: 995d358b585a172b3101450c925ad4e490f8214d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/bin/bash

set -e

CONF_D="/var/lib/kubenet/"

INET_IF="{{ ansible_default_ipv4.interface }}"

POD_NET_CIDR="{{ kubernetes.pod_ip_range }}"

{% set br_net = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) -%}
BR_IF="kube-br0"
BR_IP="{{ br_net | ipaddr(1) | ipaddr('address')  }}"
BR_IP_CIDR="{{ br_net | ipaddr(1) }}"
BR_NET_CIDR="{{ br_net }}"

TUN_IF="kube-wg0"
TUN_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[inventory_hostname]) }}"


case "$1" in
  up)
    # bring up bridge for local pods
    ip link add dev "$BR_IF" type bridge
    ip addr add dev "$BR_IF" "$BR_IP_CIDR"
    ip link set up dev "$BR_IF"
    iptables -t nat -A POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE
    modprobe br_netfilter

    # bring up wireguard tunnel to other nodes
    ip link add dev "$TUN_IF" type wireguard
    ip addr add dev "$TUN_IF" "$TUN_IP_CIDR"
    wg set "$TUN_IF" listen-port {{ kubenet_wireguard_port }} private-key "$CONF_D/$TUN_IF.privatekey"
    ip link set up dev "$TUN_IF"

    # make pods and service IPs reachable
    # !!! use IP of bridge as source so we don't produce martians if direct-zones are involved!!!
    ip route add "$POD_NET_CIDR" dev "$TUN_IF" src "$BR_IP"
    ;;
  down)
    # bring down wireguard tunnel to other nodes
    ip route del "$POD_NET_CIDR" dev "$TUN_IF"
    ip link del dev "$TUN_IF"

    # bring down bridge for local pods
    iptables -t nat -D POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE
    ip link del dev "$BR_IF"
    ;;
  *)
    echo "usage: $0 (up|down)"
    exit 1
    ;;
esac

exit 0