From 2253f64b2a3925b023d63e497cec9c6c213c4fb8 Mon Sep 17 00:00:00 2001 From: Roberto Bonafiglia Date: Wed, 12 Jan 2022 17:09:38 +0100 Subject: [PATCH 1/3] Added iptables masquerade rules for ipv6 on flannel Signed-off-by: Roberto Bonafiglia --- pkg/agent/flannel/flannel.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/agent/flannel/flannel.go b/pkg/agent/flannel/flannel.go index ff586fe07da7..d7a86f882f87 100644 --- a/pkg/agent/flannel/flannel.go +++ b/pkg/agent/flannel/flannel.go @@ -71,6 +71,11 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube go network.SetupAndEnsureIPTables(network.MasqRules(config.Network, bn.Lease()), 60) go network.SetupAndEnsureIPTables(network.ForwardRules(config.Network.String()), 50) + if config.IPv6Network.String() != emptyIPv6Network { + go network.SetupAndEnsureIP6Tables(network.MasqIP6Rules(config.IPv6Network, bn.Lease()), 60) + go network.SetupAndEnsureIP6Tables(network.ForwardRules(config.IPv6Network.String()), 50) + } + if err := WriteSubnetFile(subnetFile, config.Network, config.IPv6Network, true, bn); err != nil { // Continue, even though it failed. logrus.Warningf("Failed to write flannel subnet file: %s", err) From 111c1669fcb24c6df6198929a85f8536c3c3d671 Mon Sep 17 00:00:00 2001 From: Roberto Bonafiglia Date: Fri, 14 Jan 2022 16:54:55 +0100 Subject: [PATCH 2/3] Added flannel-ipv6-masq flag to enable IPv6 nat Signed-off-by: Roberto Bonafiglia --- pkg/agent/config/config.go | 1 + pkg/agent/flannel/flannel.go | 4 ++-- pkg/agent/flannel/setup.go | 2 +- pkg/cli/cmds/server.go | 6 ++++++ pkg/cli/server/server.go | 1 + pkg/daemons/config/types.go | 2 ++ 6 files changed, 13 insertions(+), 3 deletions(-) diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go index e8a80bd74f81..69ec633adaef 100644 --- a/pkg/agent/config/config.go +++ b/pkg/agent/config/config.go @@ -411,6 +411,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N SELinux: envInfo.EnableSELinux, ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint, FlannelBackend: controlConfig.FlannelBackend, + FlannelIPv6Masq: controlConfig.FlannelIPv6Masq, ServerHTTPSPort: controlConfig.HTTPSPort, Token: info.String(), } diff --git a/pkg/agent/flannel/flannel.go b/pkg/agent/flannel/flannel.go index d7a86f882f87..b1435d64ed09 100644 --- a/pkg/agent/flannel/flannel.go +++ b/pkg/agent/flannel/flannel.go @@ -39,7 +39,7 @@ const ( subnetFile = "/run/flannel/subnet.env" ) -func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kubeConfigFile string, netMode int) error { +func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kubeConfigFile string, flannelIPv6Masq bool, netMode int) error { extIface, err := LookupExtInterface(flannelIface, netMode) if err != nil { return err @@ -71,7 +71,7 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube go network.SetupAndEnsureIPTables(network.MasqRules(config.Network, bn.Lease()), 60) go network.SetupAndEnsureIPTables(network.ForwardRules(config.Network.String()), 50) - if config.IPv6Network.String() != emptyIPv6Network { + if flannelIPv6Masq && config.IPv6Network.String() != emptyIPv6Network { go network.SetupAndEnsureIP6Tables(network.MasqIP6Rules(config.IPv6Network, bn.Lease()), 60) go network.SetupAndEnsureIP6Tables(network.ForwardRules(config.IPv6Network.String()), 50) } diff --git a/pkg/agent/flannel/setup.go b/pkg/agent/flannel/setup.go index 2800faf9d8f3..02228406b9c2 100644 --- a/pkg/agent/flannel/setup.go +++ b/pkg/agent/flannel/setup.go @@ -99,7 +99,7 @@ func Run(ctx context.Context, nodeConfig *config.Node, nodes typedcorev1.NodeInt return errors.Wrap(err, "failed to check netMode for flannel") } go func() { - err := flannel(ctx, nodeConfig.FlannelIface, nodeConfig.FlannelConfFile, nodeConfig.AgentConfig.KubeConfigKubelet, netMode) + err := flannel(ctx, nodeConfig.FlannelIface, nodeConfig.FlannelConfFile, nodeConfig.AgentConfig.KubeConfigKubelet, nodeConfig.FlannelIPv6Masq, netMode) if err != nil && !errors.Is(err, context.Canceled) { logrus.Fatalf("flannel exited: %v", err) } diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go index 237cc2a3b36a..dcdf1adac2eb 100644 --- a/pkg/cli/cmds/server.go +++ b/pkg/cli/cmds/server.go @@ -62,6 +62,7 @@ type Server struct { DisableScheduler bool ServerURL string FlannelBackend string + FlannelIPv6Masq bool DefaultLocalStoragePath string DisableCCM bool DisableNPC bool @@ -204,6 +205,11 @@ var ServerFlags = []cli.Flag{ Destination: &ServerConfig.FlannelBackend, Value: "vxlan", }, + cli.BoolFlag{ + Name: "flannel-ipv6-masq", + Usage: "(networking) Enable IPv6 masquerading for pod", + Destination: &ServerConfig.FlannelIPv6Masq, + }, ServerToken, cli.StringFlag{ Name: "token-file", diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go index feb0ca29d82b..2e1f5bf8864d 100644 --- a/pkg/cli/server/server.go +++ b/pkg/cli/server/server.go @@ -127,6 +127,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont serverConfig.ControlConfig.AdvertiseIP = cfg.AdvertiseIP serverConfig.ControlConfig.AdvertisePort = cfg.AdvertisePort serverConfig.ControlConfig.FlannelBackend = cfg.FlannelBackend + serverConfig.ControlConfig.FlannelIPv6Masq = cfg.FlannelIPv6Masq serverConfig.ControlConfig.ExtraCloudControllerArgs = cfg.ExtraCloudControllerArgs serverConfig.ControlConfig.DisableCCM = cfg.DisableCCM serverConfig.ControlConfig.DisableNPC = cfg.DisableNPC diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index 6f6014fd552b..a7db73c51be7 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -34,6 +34,7 @@ type Node struct { FlannelConfFile string FlannelConfOverride bool FlannelIface *net.Interface + FlannelIPv6Masq bool Containerd Containerd Images string AgentConfig Agent @@ -116,6 +117,7 @@ type CriticalControlArgs struct { DisableNPC bool DisableServiceLB bool FlannelBackend string + FlannelIPv6Masq bool NoCoreDNS bool ServiceIPRange *net.IPNet ServiceIPRanges []*net.IPNet From 8eded2749a8d1bdd1d6068bb1e928925f3bb60da Mon Sep 17 00:00:00 2001 From: Roberto Bonafiglia Date: Mon, 17 Jan 2022 10:20:12 +0100 Subject: [PATCH 3/3] Added debug log for IPv6 Masquerading rule Signed-off-by: Roberto Bonafiglia --- pkg/agent/flannel/flannel.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/agent/flannel/flannel.go b/pkg/agent/flannel/flannel.go index b1435d64ed09..7c19804a5f1b 100644 --- a/pkg/agent/flannel/flannel.go +++ b/pkg/agent/flannel/flannel.go @@ -72,6 +72,7 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube go network.SetupAndEnsureIPTables(network.ForwardRules(config.Network.String()), 50) if flannelIPv6Masq && config.IPv6Network.String() != emptyIPv6Network { + logrus.Debugf("Creating IPv6 masquerading iptables rules for %s network", config.IPv6Network.String()) go network.SetupAndEnsureIP6Tables(network.MasqIP6Rules(config.IPv6Network, bn.Lease()), 60) go network.SetupAndEnsureIP6Tables(network.ForwardRules(config.IPv6Network.String()), 50) }