install: Auto-enable BPF masquerade

By default, the BPF-based masquerading is disabled. Enable the feature if the KPR=strict and a user haven't specified the helm's "bpf.masquerade" option. Signed-off-by: Martynas Pumputis <[email protected]>
cilium · Jan 12, 2023 · 31453a5 · 31453a5
1 parent b7a66a5
commit 31453a5
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/install/autodetect.go b/install/autodetect.go
@@ -170,6 +170,7 @@ func (k *K8sInstaller) autodetectAndValidate(ctx context.Context) error {
 	}
 
 	k.autodetectKubeProxy(ctx)
+	k.autoEnableBPFMasq()
 	return nil
 }
 
@@ -236,5 +237,27 @@ func (k *K8sInstaller) autodetectKubeProxy(ctx context.Context) error {
 			fmt.Sprintf("k8sServiceHost=%s", apiServerHost),
 			fmt.Sprintf("k8sServicePort=%s", apiServerPort))
 	}
+
 	return nil
 }
+
+func (k *K8sInstaller) autoEnableBPFMasq() {
+	// Auto-enable BPF masquerading if KPR=strict
+	foundKPRStrict := k.params.KubeProxyReplacement == "strict"
+	foundMasq := false
+	for _, param := range k.params.HelmOpts.Values {
+		if !foundKPRStrict && param == "kubeProxyReplacement=strict" {
+			foundKPRStrict = true
+			continue
+		}
+		if strings.HasPrefix(param, "bpf.masquerade") {
+			foundMasq = true
+			break
+		}
+	}
+
+	if foundKPRStrict && !foundMasq {
+		k.params.HelmOpts.Values = append(k.params.HelmOpts.Values,
+			"bpf.masquerade=true")
+	}
+}