adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
116fb7337a
kilo/pkg/mesh/topology.go

534 lines
18 KiB
Go
Raw Normal View History

init
2019-01-18 01:50:10 +00:00
// Copyright 2019 the Kilo authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package mesh
import (
"errors"
"net"
"sort"
pkg/k8s: enable peers to use DNS names This commit enables peers defined using the Peer CRD to declare their endpoints using DNS names. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-28 14:48:32 +00:00
"github.com/vishvananda/netlink"
"golang.org/x/sys/unix"
pkg/{encapsulation,mesh}: abstract encapsulation This commit abstracts away encapsulation to more easily allow for different types of encapsulation or compatibility with other networking solutions.
2019-05-13 16:30:00 +00:00
"github.com/squat/kilo/pkg/encapsulation"
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
"github.com/squat/kilo/pkg/iptables"
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
"github.com/squat/kilo/pkg/wireguard"
init
2019-01-18 01:50:10 +00:00
)
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
const kiloTableIndex = 1107
init
2019-01-18 01:50:10 +00:00
// Topology represents the logical structure of the overlay network.
type Topology struct {
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
// key is the private key of the node creating the topology.
key []byte
port uint32
init
2019-01-18 01:50:10 +00:00
// Location is the logical location of the local host.
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
location string
segments []*segment
peers []*Peer
init
2019-01-18 01:50:10 +00:00
// hostname is the hostname of the local host.
hostname string
// leader represents whether or not the local host
// is the segment leader.
leader bool
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
// persistentKeepalive is the interval in seconds of the emission
// of keepalive packets by the local node to its peers.
persistentKeepalive int
// privateIP is the private IP address of the local node.
privateIP *net.IPNet
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
// subnet is the Pod subnet of the local node.
init
2019-01-18 01:50:10 +00:00
subnet *net.IPNet
// wireGuardCIDR is the allocated CIDR of the WireGuard
// interface of the local node. If the local node is not
// the leader, then it is nil.
wireGuardCIDR *net.IPNet
}
type segment struct {
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
allowedIPs []*net.IPNet
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
endpoint *wireguard.Endpoint
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
key []byte
init
2019-01-18 01:50:10 +00:00
// Location is the logical location of this segment.
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
location string
init
2019-01-18 01:50:10 +00:00
// cidrs is a slice of subnets of all peers in the segment.
cidrs []*net.IPNet
// hostnames is a slice of the hostnames of the peers in the segment.
hostnames []string
// leader is the index of the leader of the segment.
leader int
// privateIPs is a slice of private IPs of all peers in the segment.
privateIPs []net.IP
// wireGuardIP is the allocated IP address of the WireGuard
// interface on the leader of the segment.
wireGuardIP net.IP
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
// NewTopology creates a new Topology struct from a given set of nodes and peers.
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Granularity, hostname string, port uint32, key []byte, subnet *net.IPNet, persistentKeepalive int) (*Topology, error) {
init
2019-01-18 01:50:10 +00:00
topoMap := make(map[string][]*Node)
for _, node := range nodes {
var location string
switch granularity {
pkg/mesh: rename mesh granularity types This commit renames the mesh granularity types to make them more intuitive. The functionality provided by them remains exactly the same.
2019-05-07 14:34:34 +00:00
case LogicalGranularity:
init
2019-01-18 01:50:10 +00:00
location = node.Location
pkg/mesh: rename mesh granularity types This commit renames the mesh granularity types to make them more intuitive. The functionality provided by them remains exactly the same.
2019-05-07 14:34:34 +00:00
case FullGranularity:
init
2019-01-18 01:50:10 +00:00
location = node.Name
}
topoMap[location] = append(topoMap[location], node)
}
var localLocation string
switch granularity {
pkg/mesh: rename mesh granularity types This commit renames the mesh granularity types to make them more intuitive. The functionality provided by them remains exactly the same.
2019-05-07 14:34:34 +00:00
case LogicalGranularity:
init
2019-01-18 01:50:10 +00:00
localLocation = nodes[hostname].Location
pkg/mesh: rename mesh granularity types This commit renames the mesh granularity types to make them more intuitive. The functionality provided by them remains exactly the same.
2019-05-07 14:34:34 +00:00
case FullGranularity:
init
2019-01-18 01:50:10 +00:00
localLocation = hostname
}
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
t := Topology{key: key, port: port, hostname: hostname, location: localLocation, persistentKeepalive: persistentKeepalive, privateIP: nodes[hostname].InternalIP, subnet: nodes[hostname].Subnet}
init
2019-01-18 01:50:10 +00:00
for location := range topoMap {
// Sort the location so the result is stable.
sort.Slice(topoMap[location], func(i, j int) bool {
return topoMap[location][i].Name < topoMap[location][j].Name
})
leader := findLeader(topoMap[location])
if location == localLocation && topoMap[location][leader].Name == hostname {
t.leader = true
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
var allowedIPs []*net.IPNet
init
2019-01-18 01:50:10 +00:00
var cidrs []*net.IPNet
var hostnames []string
var privateIPs []net.IP
for _, node := range topoMap[location] {
// Allowed IPs should include:
// - the node's allocated subnet
// - the node's WireGuard IP
// - the node's internal IP
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
allowedIPs = append(allowedIPs, node.Subnet, oneAddressCIDR(node.InternalIP.IP))
init
2019-01-18 01:50:10 +00:00
cidrs = append(cidrs, node.Subnet)
hostnames = append(hostnames, node.Name)
privateIPs = append(privateIPs, node.InternalIP.IP)
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
t.segments = append(t.segments, &segment{
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
allowedIPs: allowedIPs,
endpoint: topoMap[location][leader].Endpoint,
key: topoMap[location][leader].Key,
location: location,
cidrs: cidrs,
hostnames: hostnames,
leader: leader,
privateIPs: privateIPs,
init
2019-01-18 01:50:10 +00:00
})
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
// Sort the Topology segments so the result is stable.
sort.Slice(t.segments, func(i, j int) bool {
return t.segments[i].location < t.segments[j].location
})
for _, peer := range peers {
t.peers = append(t.peers, peer)
}
// Sort the Topology peers so the result is stable.
sort.Slice(t.peers, func(i, j int) bool {
return t.peers[i].Name < t.peers[j].Name
init
2019-01-18 01:50:10 +00:00
})
pkg: deduplicate peer IP addresses We need to defensively deduplicate peer allowed IPs. If two peers claim the same IP, the WireGuard configuration could flap, causing the interface to churn.
2019-05-10 00:07:05 +00:00
// We need to defensively deduplicate peer allowed IPs. If two peers claim the same IP,
// the WireGuard configuration could flap, causing the interface to churn.
t.peers = deduplicatePeerIPs(t.peers)
init
2019-01-18 01:50:10 +00:00
// Allocate IPs to the segment leaders in a stable, coordination-free manner.
a := newAllocator(*subnet)
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
for _, segment := range t.segments {
init
2019-01-18 01:50:10 +00:00
ipNet := a.next()
if ipNet == nil {
return nil, errors.New("failed to allocate an IP address; ran out of IP addresses")
}
segment.wireGuardIP = ipNet.IP
pkg/mesh: fix ip allocator helper This commit fixes the ip allocator `newAllocator` to produce IP addresses with the original network mask. This is makes more sense. The original functionality can be reproduced by wrapping the produced IP address with the `oneAddressCIDR` helper. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 12:52:41 +00:00
segment.allowedIPs = append(segment.allowedIPs, oneAddressCIDR(ipNet.IP))
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
if t.leader && segment.location == t.location {
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
t.wireGuardCIDR = &net.IPNet{IP: ipNet.IP, Mask: subnet.Mask}
init
2019-01-18 01:50:10 +00:00
}
}
return &t, nil
}
// Routes generates a slice of routes for a given Topology.
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
func (t *Topology) Routes(kiloIfaceName string, kiloIface, privIface, tunlIface int, local bool, enc encapsulation.Encapsulator) ([]*netlink.Route, []*netlink.Rule) {
init
2019-01-18 01:50:10 +00:00
var routes []*netlink.Route
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
var rules []*netlink.Rule
init
2019-01-18 01:50:10 +00:00
if !t.leader {
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
// Find the GW for this segment.
// This will be the an IP of the leader.
// In an IPIP encapsulated mesh it is the leader's private IP.
var gw net.IP
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
for _, segment := range t.segments {
if segment.location == t.location {
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
gw = enc.Gw(segment.endpoint.IP, segment.privateIPs[segment.leader], segment.cidrs[segment.leader])
init
2019-01-18 01:50:10 +00:00
break
}
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
for _, segment := range t.segments {
init
2019-01-18 01:50:10 +00:00
// First, add a route to the WireGuard IP of the segment.
routes = append(routes, encapsulateRoute(&netlink.Route{
Dst: oneAddressCIDR(segment.wireGuardIP),
Flags: int(netlink.FLAG_ONLINK),
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
Gw: gw,
init
2019-01-18 01:50:10 +00:00
LinkIndex: privIface,
Protocol: unix.RTPROT_STATIC,
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
}, enc.Strategy(), t.privateIP, tunlIface))
init
2019-01-18 01:50:10 +00:00
// Add routes for the current segment if local is true.
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
if segment.location == t.location {
init
2019-01-18 01:50:10 +00:00
if local {
for i := range segment.cidrs {
// Don't add routes for the local node.
if segment.privateIPs[i].Equal(t.privateIP.IP) {
continue
}
routes = append(routes, encapsulateRoute(&netlink.Route{
Dst: segment.cidrs[i],
Flags: int(netlink.FLAG_ONLINK),
Gw: segment.privateIPs[i],
LinkIndex: privIface,
Protocol: unix.RTPROT_STATIC,
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
}, enc.Strategy(), t.privateIP, tunlIface))
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
// Encapsulate packets from the host's Pod subnet headed
// to private IPs.
if enc.Strategy() == encapsulation.Always || (enc.Strategy() == encapsulation.CrossSubnet && !t.privateIP.Contains(segment.privateIPs[i])) {
routes = append(routes, &netlink.Route{
Dst: oneAddressCIDR(segment.privateIPs[i]),
Flags: int(netlink.FLAG_ONLINK),
Gw: segment.privateIPs[i],
LinkIndex: tunlIface,
Protocol: unix.RTPROT_STATIC,
Table: kiloTableIndex,
})
rules = append(rules, defaultRule(&netlink.Rule{
Src: t.subnet,
Dst: oneAddressCIDR(segment.privateIPs[i]),
Table: kiloTableIndex,
}))
}
init
2019-01-18 01:50:10 +00:00
}
}
continue
}
for i := range segment.cidrs {
// Add routes to the Pod CIDRs of nodes in other segments.
routes = append(routes, encapsulateRoute(&netlink.Route{
Dst: segment.cidrs[i],
Flags: int(netlink.FLAG_ONLINK),
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
Gw: gw,
init
2019-01-18 01:50:10 +00:00
LinkIndex: privIface,
Protocol: unix.RTPROT_STATIC,
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
}, enc.Strategy(), t.privateIP, tunlIface))
init
2019-01-18 01:50:10 +00:00
// Add routes to the private IPs of nodes in other segments.
// Number of CIDRs and private IPs always match so
// we can reuse the loop.
routes = append(routes, encapsulateRoute(&netlink.Route{
Dst: oneAddressCIDR(segment.privateIPs[i]),
Flags: int(netlink.FLAG_ONLINK),
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
Gw: gw,
init
2019-01-18 01:50:10 +00:00
LinkIndex: privIface,
Protocol: unix.RTPROT_STATIC,
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
}, enc.Strategy(), t.privateIP, tunlIface))
init
2019-01-18 01:50:10 +00:00
}
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
// Add routes for the allowed IPs of peers.
for _, peer := range t.peers {
for i := range peer.AllowedIPs {
routes = append(routes, encapsulateRoute(&netlink.Route{
Dst: peer.AllowedIPs[i],
Flags: int(netlink.FLAG_ONLINK),
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
Gw: gw,
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
LinkIndex: privIface,
Protocol: unix.RTPROT_STATIC,
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
}, enc.Strategy(), t.privateIP, tunlIface))
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
}
}
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
return routes, rules
init
2019-01-18 01:50:10 +00:00
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
for _, segment := range t.segments {
init
2019-01-18 01:50:10 +00:00
// Add routes for the current segment if local is true.
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
if segment.location == t.location {
init
2019-01-18 01:50:10 +00:00
if local {
for i := range segment.cidrs {
// Don't add routes for the local node.
if segment.privateIPs[i].Equal(t.privateIP.IP) {
continue
}
routes = append(routes, encapsulateRoute(&netlink.Route{
Dst: segment.cidrs[i],
Flags: int(netlink.FLAG_ONLINK),
Gw: segment.privateIPs[i],
LinkIndex: privIface,
Protocol: unix.RTPROT_STATIC,
manifests,pkg/encapsulation: Flannel compatibility This commit adds basic support to run in compatibility mode with Flannel. This allows clusters running Flannel as their principal networking solution to leverage some advances Kilo features. In certain Flannel setups, the clusters can even leverage muti-cloud. For this, the cluster needs to either run in a full mesh, or Flannel needs to use the API server's external IP address.
2019-05-13 23:01:53 +00:00
}, enc.Strategy(), t.privateIP, tunlIface))
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
// Encapsulate packets from the host's Pod subnet headed
// to private IPs.
if enc.Strategy() == encapsulation.Always || (enc.Strategy() == encapsulation.CrossSubnet && !t.privateIP.Contains(segment.privateIPs[i])) {
routes = append(routes, &netlink.Route{
Dst: oneAddressCIDR(segment.privateIPs[i]),
Flags: int(netlink.FLAG_ONLINK),
Gw: segment.privateIPs[i],
LinkIndex: tunlIface,
Protocol: unix.RTPROT_STATIC,
Table: kiloTableIndex,
})
rules = append(rules, defaultRule(&netlink.Rule{
Src: t.subnet,
Dst: oneAddressCIDR(segment.privateIPs[i]),
Table: kiloTableIndex,
}))
// Also encapsulate packets from the Kilo interface
// headed to private IPs.
rules = append(rules, defaultRule(&netlink.Rule{
Dst: oneAddressCIDR(segment.privateIPs[i]),
Table: kiloTableIndex,
IifName: kiloIfaceName,
}))
}
init
2019-01-18 01:50:10 +00:00
}
}
continue
}
for i := range segment.cidrs {
// Add routes to the Pod CIDRs of nodes in other segments.
routes = append(routes, &netlink.Route{
Dst: segment.cidrs[i],
Flags: int(netlink.FLAG_ONLINK),
Gw: segment.wireGuardIP,
LinkIndex: kiloIface,
Protocol: unix.RTPROT_STATIC,
})
pkg/mesh: edge case external = internal Add an exception to the route generation rules for when the external IP of a node equals the internal IP. In this case, we cannot route traffic through a tunnel.
2019-05-13 15:25:52 +00:00
// Don't add routes through Kilo if the private IP
// equals the external IP. This means that the node
// is only accessible through an external IP and we
// cannot encapsulate traffic to an IP through the IP.
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
if segment.privateIPs[i].Equal(segment.endpoint.IP) {
pkg/mesh: edge case external = internal Add an exception to the route generation rules for when the external IP of a node equals the internal IP. In this case, we cannot route traffic through a tunnel.
2019-05-13 15:25:52 +00:00
continue
}
init
2019-01-18 01:50:10 +00:00
// Add routes to the private IPs of nodes in other segments.
// Number of CIDRs and private IPs always match so
// we can reuse the loop.
routes = append(routes, &netlink.Route{
Dst: oneAddressCIDR(segment.privateIPs[i]),
Flags: int(netlink.FLAG_ONLINK),
Gw: segment.wireGuardIP,
LinkIndex: kiloIface,
Protocol: unix.RTPROT_STATIC,
})
}
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
// Add routes for the allowed IPs of peers.
for _, peer := range t.peers {
for i := range peer.AllowedIPs {
routes = append(routes, &netlink.Route{
Dst: peer.AllowedIPs[i],
LinkIndex: kiloIface,
Protocol: unix.RTPROT_STATIC,
})
}
}
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
return routes, rules
init
2019-01-18 01:50:10 +00:00
}
pkg/{encapsulation,mesh}: abstract encapsulation This commit abstracts away encapsulation to more easily allow for different types of encapsulation or compatibility with other networking solutions.
2019-05-13 16:30:00 +00:00
func encapsulateRoute(route *netlink.Route, encapsulate encapsulation.Strategy, subnet *net.IPNet, tunlIface int) *netlink.Route {
if encapsulate == encapsulation.Always || (encapsulate == encapsulation.CrossSubnet && !subnet.Contains(route.Gw)) {
init
2019-01-18 01:50:10 +00:00
route.LinkIndex = tunlIface
}
return route
}
// Conf generates a WireGuard configuration file for a given Topology.
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
func (t *Topology) Conf() *wireguard.Conf {
c := &wireguard.Conf{
Interface: &wireguard.Interface{
PrivateKey: t.key,
ListenPort: t.port,
},
}
for _, s := range t.segments {
if s.location == t.location {
continue
}
peer := &wireguard.Peer{
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
AllowedIPs: s.allowedIPs,
Endpoint: s.endpoint,
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
PersistentKeepalive: t.persistentKeepalive,
pkg/k8s/apis: support for preshared keys in peers This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 09:36:39 +00:00
PublicKey: s.key,
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
}
c.Peers = append(c.Peers, peer)
}
for _, p := range t.peers {
peer := &wireguard.Peer{
AllowedIPs: p.AllowedIPs,
pkg/k8s/apis: support for preshared keys in peers This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 09:36:39 +00:00
Endpoint: p.Endpoint,
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
PersistentKeepalive: t.persistentKeepalive,
pkg/k8s/apis: support for preshared keys in peers This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 09:36:39 +00:00
PresharedKey: p.PresharedKey,
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
PublicKey: p.PublicKey,
}
c.Peers = append(c.Peers, peer)
}
return c
}
cmd/kgctl: add output options for showconf This commit adds several output options to the `showconf` command of the `kgctl` binary: * `--as-peer`: this can be used to generate a peer configuration, which can be used to configure the selected resource as a peer of another WireGuard interface * `--output`: this can be used to select the desired output format of the peer resource, available options are: WireGuard, YAML, and JSON.
2019-05-07 23:31:36 +00:00
// AsPeer generates the WireGuard peer configuration for the local location of the given Topology.
// This configuration can be used to configure this location as a peer of another WireGuard interface.
func (t *Topology) AsPeer() *wireguard.Peer {
for _, s := range t.segments {
if s.location != t.location {
continue
}
return &wireguard.Peer{
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
AllowedIPs: s.allowedIPs,
Endpoint: s.endpoint,
PublicKey: s.key,
cmd/kgctl: add output options for showconf This commit adds several output options to the `showconf` command of the `kgctl` binary: * `--as-peer`: this can be used to generate a peer configuration, which can be used to configure the selected resource as a peer of another WireGuard interface * `--output`: this can be used to select the desired output format of the peer resource, available options are: WireGuard, YAML, and JSON.
2019-05-07 23:31:36 +00:00
}
}
return nil
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
// PeerConf generates a WireGuard configuration file for a given peer in a Topology.
func (t *Topology) PeerConf(name string) *wireguard.Conf {
pkg/mesh: enable generating config without peer This commit re-enables old functionality, which permitted the generation of the configuration for a cluster without any peers. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 15:05:26 +00:00
var pka int
pkg/k8s/apis: support for preshared keys in peers This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 09:36:39 +00:00
var psk []byte
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
for i := range t.peers {
if t.peers[i].Name == name {
pkg/mesh: enable generating config without peer This commit re-enables old functionality, which permitted the generation of the configuration for a cluster without any peers. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 15:05:26 +00:00
pka = t.peers[i].PersistentKeepalive
pkg/k8s/apis: support for preshared keys in peers This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 09:36:39 +00:00
psk = t.peers[i].PresharedKey
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
break
}
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
c := &wireguard.Conf{}
for _, s := range t.segments {
peer := &wireguard.Peer{
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
AllowedIPs: s.allowedIPs,
Endpoint: s.endpoint,
pkg/mesh: enable generating config without peer This commit re-enables old functionality, which permitted the generation of the configuration for a cluster without any peers. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 15:05:26 +00:00
PersistentKeepalive: pka,
pkg/k8s/apis: support for preshared keys in peers This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 09:36:39 +00:00
PresharedKey: psk,
Define WireGuard PersistentKeepAlive via Annotation (#31) * Add WireGuardPersistentKeepAlive to mesh.Node * Connect to configuration * Shorten keepalive key * Fix casing on keepalive * Add annotated keepalive value to peer functions
2020-02-13 09:16:55 +00:00
PublicKey: s.key,
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
}
c.Peers = append(c.Peers, peer)
}
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
for i := range t.peers {
if t.peers[i].Name == name {
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
continue
}
peer := &wireguard.Peer{
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
AllowedIPs: t.peers[i].AllowedIPs,
pkg/mesh: enable generating config without peer This commit re-enables old functionality, which permitted the generation of the configuration for a cluster without any peers. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 15:05:26 +00:00
PersistentKeepalive: pka,
pkg/mesh,docs: document and fix keepalive logic This commit documents the use of the persistent-keepalive annotation and corrects the implementation of keepalives. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-03 19:10:20 +00:00
PublicKey: t.peers[i].PublicKey,
Endpoint: t.peers[i].Endpoint,
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
}
c.Peers = append(c.Peers, peer)
init
2019-01-18 01:50:10 +00:00
}
*: add peer VPN support This commit adds support for defining arbitrary peers that should have access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 10:53:40 +00:00
return c
init
2019-01-18 01:50:10 +00:00
}
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
// Rules returns the iptables rules required by the local node.
func (t *Topology) Rules(cni bool) []iptables.Rule {
var rules []iptables.Rule
pkg/iptables: enable simultaneous ipv4 and ipv6 This commit enables simultaneously managing IPv4 and IPv6 iptables rules. This makes it possible to have peers with IPv6 allowed IPs in an otherwise IPv4 stack and vice versa. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 14:48:01 +00:00
rules = append(rules, iptables.NewIPv4Chain("nat", "KILO-NAT"))
rules = append(rules, iptables.NewIPv6Chain("nat", "KILO-NAT"))
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
if cni {
pkg/iptables: enable simultaneous ipv4 and ipv6 This commit enables simultaneously managing IPv4 and IPv6 iptables rules. This makes it possible to have peers with IPv6 allowed IPs in an otherwise IPv4 stack and vice versa. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 14:48:01 +00:00
rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "nat", "POSTROUTING", "-m", "comment", "--comment", "Kilo: jump to NAT chain", "-s", t.subnet.String(), "-j", "KILO-NAT"))
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
}
for _, s := range t.segments {
pkg/iptables: enable simultaneous ipv4 and ipv6 This commit enables simultaneously managing IPv4 and IPv6 iptables rules. This makes it possible to have peers with IPv6 allowed IPs in an otherwise IPv4 stack and vice versa. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 14:48:01 +00:00
rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(s.wireGuardIP)), "nat", "KILO-NAT", "-m", "comment", "--comment", "Kilo: do not NAT packets destined for WireGuared IPs", "-d", s.wireGuardIP.String(), "-j", "RETURN"))
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
for _, aip := range s.allowedIPs {
pkg/iptables: enable simultaneous ipv4 and ipv6 This commit enables simultaneously managing IPv4 and IPv6 iptables rules. This makes it possible to have peers with IPv6 allowed IPs in an otherwise IPv4 stack and vice versa. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 14:48:01 +00:00
rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(aip.IP)), "nat", "KILO-NAT", "-m", "comment", "--comment", "Kilo: do not NAT packets destined for known IPs", "-d", aip.String(), "-j", "RETURN"))
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
}
}
for _, p := range t.peers {
for _, aip := range p.AllowedIPs {
rules = append(rules,
pkg/iptables: enable simultaneous ipv4 and ipv6 This commit enables simultaneously managing IPv4 and IPv6 iptables rules. This makes it possible to have peers with IPv6 allowed IPs in an otherwise IPv4 stack and vice versa. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 14:48:01 +00:00
iptables.NewRule(iptables.GetProtocol(len(aip.IP)), "nat", "POSTROUTING", "-m", "comment", "--comment", "Kilo: jump to NAT chain", "-s", aip.String(), "-j", "KILO-NAT"),
iptables.NewRule(iptables.GetProtocol(len(aip.IP)), "nat", "KILO-NAT", "-m", "comment", "--comment", "Kilo: do not NAT packets destined for peers", "-d", aip.String(), "-j", "RETURN"),
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
)
}
}
pkg/iptables: enable simultaneous ipv4 and ipv6 This commit enables simultaneously managing IPv4 and IPv6 iptables rules. This makes it possible to have peers with IPv6 allowed IPs in an otherwise IPv4 stack and vice versa. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 14:48:01 +00:00
rules = append(rules, iptables.NewIPv4Rule("nat", "KILO-NAT", "-m", "comment", "--comment", "Kilo: NAT remaining packets", "-j", "MASQUERADE"))
rules = append(rules, iptables.NewIPv6Rule("nat", "KILO-NAT", "-m", "comment", "--comment", "Kilo: NAT remaining packets", "-j", "MASQUERADE"))
pkg/mesh: enable outgoing NAT to WAN This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 17:42:42 +00:00
return rules
}
init
2019-01-18 01:50:10 +00:00
// oneAddressCIDR takes an IP address and returns a CIDR
// that contains only that address.
func oneAddressCIDR(ip net.IP) *net.IPNet {
return &net.IPNet{IP: ip, Mask: net.CIDRMask(len(ip)*8, len(ip)*8)}
}
// findLeader selects a leader for the nodes in a segment;
// it will select the first node that says it should lead
// or the first node in the segment if none have volunteered,
// always preferring those with a public external IP address,
func findLeader(nodes []*Node) int {
var leaders, public []int
for i := range nodes {
if nodes[i].Leader {
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
if isPublic(nodes[i].Endpoint.IP) {
init
2019-01-18 01:50:10 +00:00
return i
}
leaders = append(leaders, i)
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
init
2019-01-18 01:50:10 +00:00
}
pkg/mesh,pkg/wireguard: allow DNS name endpoints This commit allows DNS names to be used when specifying the endpoint for a node in the WireGuard mesh. This is useful in many scenarios, in particular when operating an IoT device whose public IP is dynamic. This change allows the administrator to use a dynamic DNS name in the node's endpoint. One of the side-effects of this change is that the WireGuard port can now be specified individually for each node in the mesh, if the administrator wishes to do so. *Note*: this commit introduces a breaking change; the `force-external-ip` node annotation has been removed; its functionality has been ported over to the `force-endpoint` annotation. This annotation is documented in the annotations.md file. The expected content of this annotation is no longer a CIDR but rather a host:port. The host can be either a DNS name or an IP. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:17:13 +00:00
if isPublic(nodes[i].Endpoint.IP) {
init
2019-01-18 01:50:10 +00:00
public = append(public, i)
}
}
if len(leaders) != 0 {
return leaders[0]
}
if len(public) != 0 {
return public[0]
}
return 0
}
pkg: deduplicate peer IP addresses We need to defensively deduplicate peer allowed IPs. If two peers claim the same IP, the WireGuard configuration could flap, causing the interface to churn.
2019-05-10 00:07:05 +00:00
func deduplicatePeerIPs(peers []*Peer) []*Peer {
ps := make([]*Peer, len(peers))
ips := make(map[string]struct{})
for i, peer := range peers {
p := Peer{
Name: peer.Name,
Peer: wireguard.Peer{
Endpoint: peer.Endpoint,
PersistentKeepalive: peer.PersistentKeepalive,
pkg/k8s/apis: support for preshared keys in peers This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 09:36:39 +00:00
PresharedKey: peer.PresharedKey,
pkg: deduplicate peer IP addresses We need to defensively deduplicate peer allowed IPs. If two peers claim the same IP, the WireGuard configuration could flap, causing the interface to churn.
2019-05-10 00:07:05 +00:00
PublicKey: peer.PublicKey,
},
}
for _, ip := range peer.AllowedIPs {
if _, ok := ips[ip.String()]; ok {
continue
}
p.AllowedIPs = append(p.AllowedIPs, ip)
ips[ip.String()] = struct{}{}
}
ps[i] = &p
}
return ps
}
pkg/route,pkg/mesh: replace NAT with ip rules This commit entirely replaces NAT in Kilo with a few iproute2 rules. Previously, Kilo would source-NAT the majority of packets in order to avoid problems with strict source checks in cloud providers causing packets to be considered martians. This source-NAT-ing made it difficult to correctly apply Kuberenetes NetworkPolicies based on source IPs. This rewrite instead relies on a handful of iproute2 rules to ensure that packets get encapsulated in certain scenarios based on the source network and/or source interface. This has the benefit of avoiding extra iptables bloat as well as enabling better compatibility with NetworkPolicies. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 20:27:50 +00:00
func defaultRule(rule *netlink.Rule) *netlink.Rule {
base := netlink.NewRule()
base.Src = rule.Src
base.Dst = rule.Dst
base.IifName = rule.IifName
base.Table = rule.Table
return base
}
Reference in New Issue Copy Permalink