Support cilium ip-masq-agent configuration (#8893)

* fix deploy Cilium with eBPF-based Masquerading failed Signed-off-by: mahjonp <junpeng.man@gmail.com> * forget to add the enable-ip-masq-agent flag Signed-off-by: mahjonp <junpeng.man@gmail.com>
2 years ago · c927da00e0
3 changed files with 56 additions and 0 deletions
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@ -99,6 +99,29 @@ cilium_ipsec_node_encryption: "false"
 # This option is only effective when `cilium_encryption_type` is set to `wireguard`.
 cilium_wireguard_userspace_fallback: "false"

+# IP Masquerade Agent
+# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
+# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
+cilium_ip_masq_agent_enable: false
+### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
+cilium_non_masquerade_cidrs:
+  - 10.0.0.0/8
+  - 172.16.0.0/12
+  - 192.168.0.0/16
+  - 100.64.0.0/10
+  - 192.0.0.0/24
+  - 192.0.2.0/24
+  - 192.88.99.0/24
+  - 198.18.0.0/15
+  - 198.51.100.0/24
+  - 203.0.113.0/24
+  - 240.0.0.0/4
+### Indicates whether to masquerade traffic to the link local prefix.
+### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
+cilium_masq_link_local: false
+### A time interval at which the agent attempts to reload config from disk
+cilium_ip_masq_resync_interval: 60s
+
 # Hubble
 ### Enable Hubble without install
 cilium_enable_hubble: false
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@ -206,6 +206,9 @@ data:
 {% endif %}
 {% endif %}

+  # IP Masquerade Agent
+  enable-ip-masq-agent: "{{ cilium_ip_masq_agent_enable }}"
+
 {% for key, value in cilium_config_extra_vars.items() %}
  {{ key }}: "{{ value }}"
 {% endfor %}
@ -228,3 +231,20 @@ data:
 {% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
  ipam: "{{ cilium_ipam_mode }}"
 {% endif %}
+
+{% if cilium_ip_masq_agent_enable %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ip-masq-agent
+  namespace: kube-system
+data:
+  config: |
+    nonMasqueradeCIDRs:
+{% for cidr in cilium_non_masquerade_cidrs %}
+      - {{ cidr }}
+{% endfor %}
+    masqLinkLocal: {{ cilium_masq_link_local|bool }}
+    resyncInterval: "{{ cilium_ip_masq_resync_interval }}"
+{% endif %}
--- a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
@ -186,6 +186,11 @@ spec:
        - mountPath: /tmp/cilium/config-map
          name: cilium-config-path
          readOnly: true
+{% if not cilium_ip_masq_agent_enable %}
+        - name: ip-masq-agent
+          mountPath: /etc/config
+          readOnly: true
+{% endif %}
          # Needed to be able to load kernel modules
        - mountPath: /lib/modules
          name: lib-modules
@ -365,6 +370,14 @@ spec:
      - configMap:
          name: cilium-config
        name: cilium-config-path
+{% if not cilium_ip_masq_agent_enable %}
+      - configMap:
+          name: ip-masq-agent
+          items:
+          - key: config
+            path: ip-masq-agent
+        name: ip-masq-agent
+{% endif %}
 {% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
      - name: cilium-ipsec-secrets
        secret: