Users can specify IPs with the annotation "allowed-location-ips".
It makes no difference which node of a location is annotated.
The IP should be routable from the particular location, e.g. a printer in
the same LAN.
This way these IPs become routable from other location.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* wireguard: export an Endpoint comparison method
* Record discovered endpoints in node
* Synchronize DiscoveredEndpoints in k8s backend
* Add discoveredEndpointsAreEqual
* Handle discovered Endpoints in topology to enable NAT 2 NAT
* Refactor to use Endpoint.Equal
Compare IP first by default and compare DNS name first when we know the Endpoint was resolved.
* Drop the shallow copies of nodes and peers
Now that updateNATEndpoints was updated to discoverNATEndpoints and that
the endpoints are overridden by topology instead of mutating the nodes and
peers object, we can safely drop this copy.
First the comment "so remove it from the mesh" is wrong / missleading as
since 034c27ab78 the delete in that if is
not in there anymore.
Second the m.nodes map is not updated so setting `diff = true` will call `applyTopology` without any changes... which seams useless.
Third the rest of the code already checks for Ready so this special case
here should not be needed.
Commit 4d00bc56fe introduced a bug in the
Kilo graph generation logic. This commit used the WireGuard CIDR from
the topology struct as the graph title, however this field is nil
whenever the selected node is not a leader, causing the program to
panic.
This commit changes the meaning of the topology struct's wireGuardCIDR
field so that the field is always defined and the normalized value will
always be equal to the Kilo subnet CIDR. When the selected node is a
leader node, then the field's IP will be the IP allocated to the node
within the subnet. This effectively prevents the program from panicking.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit introduces a new `--resync-period` flag to control how often
the Kilo controllers should reconcile.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a logger to the iptables controller using the options
pattern. It also logs when the controller needs to reset rules, to be
able to identify costly reconciliations.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Because of new naming conventions for locations, the CIDRs were not
being set within locations.
This lead to no iptables rules added for nodes in the same location.
This commit fixes a bug where the variable holding the index of the
private interface was shadowed, causing it to always be "0".
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Add default iptables to allow forward traffic from and to pod cidr.
Previously Kilo expected the default behaviour of the forward chain to
accept packets, which can not be guaranteed.
This ensures that Kilo will not select an IP assigned to the Kilo
interface when discovering public and private IPs.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit introduces a new Prometheus metric to detect if the node is
a leader of its location, from its own point of view.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Previously, when udpdating the persistent keepalive of a node via
annotations, the node's WireGuard configuration was not updated. This
corrects the behavior.
Fixes: #54
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds support for defining preshared keys when declaring a
new Peer CRD. This preshared key will be used whenever the nodes in the
Kilo mesh communicate with that peer.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables simultaneously managing IPv4 and IPv6 iptables
rules. This makes it possible to have peers with IPv6 allowed IPs in an
otherwise IPv4 stack and vice versa.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables NAT-ing packets outgoing to the WAN from both the
Pod subnet as well as from peers. This means that Pods can access the
Internet and that peers can use the Kilo mesh as a gateway to the
Internet.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit changes how Kilo allows nodes and peers behind NAT to roam.
Rather that ignore changes to endpoints when comparing WireGuard
configurations, Kilo now incorporates changes to endpoints for peers
behind NAT into its configuration first and later compares the
configurations.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit documents the use of the persistent-keepalive annotation and
corrects the implementation of keepalives.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Kilo had a routine that synchronized the endpoints of peers back into
the API to ensure that endpoints updated by WireGuard for a roaming peer
would always positively compare with the endpoints in the API. This is
no longer needed as Kilo will now simply ignore changes to endpoints for
peers with a non-zero persistent keepalive.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables Kilo to ignore changes to the endpoints of peers
that sit behind a NAT gateway. We use the heuristic of a non-zero
persistent keepalive to decide whether the endpoint field should be
ignored. This will allow NATed peers to roam and for every node in the
cluster to have a different value for a peer's endpoint, as is natural
when a peer's connections are NATed.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit fixes the issue encountered in #36, where the CNI config is
touched even though CNI management is disabled.
Fixes: #36
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit allows DNS names to be used when specifying the endpoint
for a node in the WireGuard mesh. This is useful in many scenarios, in
particular when operating an IoT device whose public IP is dynamic. This
change allows the administrator to use a dynamic DNS name in the node's
endpoint.
One of the side-effects of this change is that the WireGuard port can
now be specified individually for each node in the mesh, if the
administrator wishes to do so.
*Note*: this commit introduces a breaking change; the
`force-external-ip` node annotation has been removed; its functionality
has been ported over to the `force-endpoint` annotation. This annotation
is documented in the annotations.md file. The expected content of this
annotation is no longer a CIDR but rather a host:port. The host can be
either a DNS name or an IP.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit entirely replaces NAT in Kilo with a few iproute2 rules.
Previously, Kilo would source-NAT the majority of packets in order to
avoid problems with strict source checks in cloud providers causing
packets to be considered martians. This source-NAT-ing made it
difficult to correctly apply Kuberenetes NetworkPolicies based on source
IPs.
This rewrite instead relies on a handful of iproute2 rules to ensure
that packets get encapsulated in certain scenarios based on the source
network and/or source interface.
This has the benefit of avoiding extra iptables bloat as well as
enabling better compatibility with NetworkPolicies.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit cleans up the iptables package to allow other packages to
create rules.
This commit also removes all NAT from Kilo.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit makes it possible to specify the Kilo interface name. If the
specified interface exists, it will be used; if it does not exist, Kilo
will create it. If the interface already existed, then it will not be
deleted on shutdown; otherwise Kilo will destroy the interface.
Fixes: https://github.com/squat/kilo/issues/8
Addresses: 1/2 of https://github.com/squat/kilo/issues/17
This commit adds basic support to run in compatibility mode with
Flannel. This allows clusters running Flannel as their principal
networking solution to leverage some advances Kilo features. In certain
Flannel setups, the clusters can even leverage muti-cloud. For this, the
cluster needs to either run in a full mesh, or Flannel needs to use the
API server's external IP address.
This commit ensures that the WireGuard private key is re-used between
container restarts. The result of this is that external peers can keep
using their configuration and don't need to be re-configured just
because the Kilo container restarted.
This commit enables Kilo to work as an independent networking provider.
This is done by leveraging CNI. Kilo brings the necessary CNI plugins to
operate and takes care of all networking.
Add-on compatibility for Calico, Flannel, etc, will be re-introduced
shortly.
This commit exposes a new Prometheus to track the number of
reconciliation attempts. This is important, as without this, the number
of errors it not too helpful. A more valuable statistic is the
proportion of reconciliations that result in an error.
This commit introduces liveness checks to Kilo. This allows the Kilo
daemons to take nodes with inactive or dead Kilo deamons out of the
topology until they are alive again.
leonnicolas
Lucas Servén Marín
Julien Viard de Galbert
Julien Viard de Galbert
Francis Nguyen