Commit Graph

54 Commits

Author SHA1 Message Date
Lucas Servén Marín
4b32c49ae1
pkg/iptables: add logger to iptables controller
This commit adds a logger to the iptables controller using the options
pattern. It also logs when the controller needs to reset rules, to be
able to identify costly reconciliations.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-02-26 20:54:16 +01:00
Lucas Servén Marín
acfd0bbaec
pkg/iptables: reduce calls to iptables
Currently, every time the iptables controller syncs rules, it spawns an
an iptables process for every rule it checks. This causes two problems:
1. it creates unnecessary load on the system; and
2. it causes contention on the xtables lock file.

This commit creates a lazy cache for iptables rules and chains that
avoids spawning iptables processes. This means that each time the
iptables rules are reconciled, if no rules need to be changed then at
most one iptables process should be spawned to check all of the rules in
a chain and at most one process should be spawned to check all of the
chains in a table.

Note: the success of this reduction in calls to iptables depends on a
somewhat fragile comparison of iptables rule text. The text of any rule
must match exactly, including the order of the flags. An improvement to
come would be to implement an iptables rule parser than can be used to
check semantic equivalence betweem iptables rules.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-02-20 19:24:06 +01:00
leonnicolas
52d8d13047
pkg/mesh/mesh.go: iptables rules in encapsulation
Because of new naming conventions for locations, the CIDRs were not
being set within locations.
This lead to no iptables rules added for nodes in the same location.
2021-02-20 02:00:57 +01:00
Ben Grabham
709c1ec6c0
Don't add generic ACCEPT rules to the filter chain 2021-02-15 12:00:25 +00:00
Lucas Servén Marín
03545d674f
pkg/mesh: don't shadow privIface
This commit fixes a bug where the variable holding the index of the
private interface was shadowed, causing it to always be "0".

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-01-30 20:09:50 +01:00
Lucas Servén Marín
f61b902128
Merge pull request #106 from leonnicolas/bug_iptables
BUG: iptables rules
2021-01-30 17:42:28 +01:00
leonnicolas
448f618c60
BUG: iptables rules
Add default iptables to allow forward traffic from and to pod cidr.

Previously Kilo expected the default behaviour of the forward chain to
accept packets, which can not be guaranteed.
2021-01-30 12:52:30 +01:00
Lucas Servén Marín
3563e660dc
Merge pull request #105 from squat/fix_graph_title
pkg/mesh/graph.go: use WireGuard CIDR as title
2021-01-29 18:21:11 +01:00
Lucas Servén Marín
4d00bc56fe
pkg/mesh/graph.go: use WireGuard CIDR as title
This commit changes the graph so that the WireGuard CIDR is used as the
title rather than the pod subnet assigned to a node in the cluster.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-01-29 15:49:42 +01:00
leonnicolas
3a201ba0fa
Nodes without private IPs
Allow nodes to have no private IPs.
Nodes without private IPs will automatically be put into
their own location.
2021-01-24 22:37:24 +01:00
Lucas Servén Marín
95c0143b1a
pkg/mesh/mesh.go: ignore Kilo IP during discovery
This ensures that Kilo will not select an IP assigned to the Kilo
interface when discovering public and private IPs.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-01-19 20:25:50 +01:00
leonnicolas
e30cff5293
FEATURE: user space wireguard
Add the possibility to use a user space implementation of wireguard. Specifically, the rust implementation boringtun.
2020-12-29 18:50:58 +01:00
Lucas Servén Marín
45cedbb84a
pkg/*: allow kgctl to compile for other OSes
This commit enables the compilation of kgctl when GOOS!=linux.
This fixes #56.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-11-14 12:16:07 +01:00
Lucas Servén Marín
5e970d8b42
pkg/mesh: small change for clarity
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-09-18 16:11:01 +02:00
Lucas Servén Marín
116fb7337a
pkg/k8s: enable peers to use DNS names
This commit enables peers defined using the Peer CRD to declare their
endpoints using DNS names.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-09-17 14:48:38 +02:00
Lucas Servén Marín
82c819659d
pkg/mesh: introduce kilo_leader guage metric
This commit introduces a new Prometheus metric to detect if the node is
a leader of its location, from its own point of view.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-25 10:16:50 +02:00
Lucas Servén Marín
968d13148f
pkg/mesh: update persistent keepalive on change
Previously, when udpdating the persistent keepalive of a node via
annotations, the node's WireGuard configuration was not updated. This
corrects the behavior.

Fixes: #54

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-06 15:54:34 +02:00
Lucas Servén Marín
0a10dc921c
pkg/k8s/apis: support for preshared keys in peers
This commit adds support for defining preshared keys when declaring a
new Peer CRD. This preshared key will be used whenever the nodes in the
Kilo mesh communicate with that peer.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 11:36:43 +02:00
Lucas Servén Marín
e4829832c5
pkg/mesh: ensure persistent-keepalive set on nodes
A bug identified by @carlosrmendes caused nodes to ignore the
persistent-keepalive annotation.

xref: https://github.com/squat/kilo/issues/53#issuecomment-620945927

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-04-30 13:53:38 +02:00
Lucas Servén Marín
b668c1ec3e
pkg/iptables: enable simultaneous ipv4 and ipv6
This commit enables simultaneously managing IPv4 and IPv6 iptables
rules. This makes it possible to have peers with IPv6 allowed IPs in an
otherwise IPv4 stack and vice versa.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 16:07:48 +01:00
Lucas Servén Marín
7051b9fe29
pkg/mesh: enable outgoing NAT to WAN
This commit enables NAT-ing packets outgoing to the WAN from both the
Pod subnet as well as from peers. This means that Pods can access the
Internet and that peers can use the Kilo mesh as a gateway to the
Internet.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 18:45:01 +01:00
Lucas Servén Marín
b54b31b699
pkg/mesh: enable generating config without peer
This commit re-enables old functionality, which permitted the generation
of the configuration for a cluster without any peers.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 16:06:41 +01:00
Lucas Servén Marín
29280a987e
pkg/mesh,pkg/wireguard: sync NAT endpoints
This commit changes how Kilo allows nodes and peers behind NAT to roam.
Rather that ignore changes to endpoints when comparing WireGuard
configurations, Kilo now incorporates changes to endpoints for peers
behind NAT into its configuration first and later compares the
configurations.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-04 01:37:08 +01:00
Lucas Servén Marín
24d7c27901
pkg/mesh,docs: document and fix keepalive logic
This commit documents the use of the persistent-keepalive annotation and
corrects the implementation of keepalives.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-04 01:36:56 +01:00
Lucas Servén Marín
515a57a301
pkg/mesh: don't synchronize peer endpoints
Kilo had a routine that synchronized the endpoints of peers back into
the API to ensure that endpoints updated by WireGuard for a roaming peer
would always positively compare with the endpoints in the API. This is
no longer needed as Kilo will now simply ignore changes to endpoints for
peers with a non-zero persistent keepalive.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-28 15:07:23 +01:00
Lucas Servén Marín
0d199db009
pkg/wireguard: ignore changes to peers behind NAT
This commit enables Kilo to ignore changes to the endpoints of peers
that sit behind a NAT gateway. We use the heuristic of a non-zero
persistent keepalive to decide whether the endpoint field should be
ignored. This will allow NATed peers to roam and for every node in the
cluster to have a different value for a peer's endpoint, as is natural
when a peer's connections are NATed.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-28 14:56:02 +01:00
Lucas Servén Marín
e08920c4fb
pkg/mesh: allow fully disabling CNI
This commit fixes the issue encountered in #36, where the CNI config is
touched even though CNI management is disabled.

Fixes: #36

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 22:37:01 +01:00
Lucas Servén Marín
409d738124
pkg/mesh: fix segfault in #36
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 22:16:45 +01:00
Lucas Servén Marín
aa376ff0d1
pkg/mesh,pkg/wireguard: allow DNS name endpoints
This commit allows DNS names to be used when specifying the endpoint
for a node in the WireGuard mesh. This is useful in many scenarios, in
particular when operating an IoT device whose public IP is dynamic. This
change allows the administrator to use a dynamic DNS name in the node's
endpoint.

One of the side-effects of this change is that the WireGuard port can
now be specified individually for each node in the mesh, if the
administrator wishes to do so.

*Note*: this commit introduces a breaking change; the
`force-external-ip` node annotation has been removed; its functionality
has been ported over to the `force-endpoint` annotation. This annotation
is documented in the annotations.md file. The expected content of this
annotation is no longer a CIDR but rather a host:port. The host can be
either a DNS name or an IP.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 17:17:13 +01:00
Lucas Servén Marín
134cbe90be
pkg/route,pkg/mesh: replace NAT with ip rules
This commit entirely replaces NAT in Kilo with a few iproute2 rules.
Previously, Kilo would source-NAT the majority of packets in order to
avoid problems with strict source checks in cloud providers causing
packets to be considered martians. This source-NAT-ing made it
difficult to correctly apply Kuberenetes NetworkPolicies based on source
IPs.

This rewrite instead relies on a handful of iproute2 rules to ensure
that packets get encapsulated in certain scenarios based on the source
network and/or source interface.

This has the benefit of avoiding extra iptables bloat as well as
enabling better compatibility with NetworkPolicies.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 21:27:50 +01:00
Lucas Servén Marín
4857d10da1
pkg/iptables: clean up, remove NAT
This commit cleans up the iptables package to allow other packages to
create rules.

This commit also removes all NAT from Kilo.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 21:23:23 +01:00
Lucas Servén Marín
2603cd50db
pkg/mesh: fix ip allocator helper
This commit fixes the ip allocator `newAllocator` to produce IP
addresses with the original network mask. This is makes more sense. The
original functionality can be reproduced by wrapping the produced IP
address with the `oneAddressCIDR` helper.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 13:54:11 +01:00
Francis Nguyen
6de0f9805a
Define WireGuard PersistentKeepAlive via Annotation (#31)
* Add WireGuardPersistentKeepAlive to mesh.Node

* Connect to configuration

* Shorten keepalive key

* Fix casing on keepalive

* Add annotated keepalive value to peer functions
2020-02-13 10:16:55 +01:00
Lucas Servén Marín
3facc9f34f
cmd/kg: only delete iface if requested
This commit modifies the default behavior of Kilo so that the WireGuard
interface is only deleted on shutdown if explicitly requested.

Fixes: https://github.com/squat/kilo/issues/17#issuecomment-534658157
2019-09-25 13:45:31 +02:00
Lucas Servén Marín
20349de548
pkg/wireguard: allow specifying iface named
This commit makes it possible to specify the Kilo interface name. If the
specified interface exists, it will be used; if it does not exist, Kilo
will create it. If the interface already existed, then it will not be
deleted on shutdown; otherwise Kilo will destroy the interface.

Fixes: https://github.com/squat/kilo/issues/8
Addresses: 1/2 of https://github.com/squat/kilo/issues/17
2019-09-24 16:05:10 +02:00
Lucas Servén Marín
676007938e
pkg/mesh: add peers to graph 2019-09-23 17:54:16 +02:00
Lucas Servén Marín
8e755cf52e
pkg: allow overriding internal IP
This addresses the request for enhancement in
https://github.com/squat/kilo/issues/7.
2019-07-15 17:24:35 +02:00
Lucas Servén Marín
51df7fc4e3
pkg/mesh: don't let hostname resolution stop mesh
If the hostname fails to resolve, this should not be considered a
blocking error. Most likely, it means that the hostname is simply not
resolvable, which should not be a requirement to run Kilo. In this case,
simply try to find a valid IP from other sources.
2019-05-17 18:09:31 +02:00
Lucas Servén Marín
81d6077fc2
manifests,pkg/encapsulation: Flannel compatibility
This commit adds basic support to run in compatibility mode with
Flannel. This allows clusters running Flannel as their principal
networking solution to leverage some advances Kilo features. In certain
Flannel setups, the clusters can even leverage muti-cloud. For this, the
cluster needs to either run in a full mesh, or Flannel needs to use the
API server's external IP address.
2019-05-14 01:01:58 +02:00
Lucas Servén Marín
cd6eeeb1e7
pkg/{encapsulation,mesh}: abstract encapsulation
This commit abstracts away encapsulation to more easily allow for
different types of encapsulation or compatibility with other networking
solutions.
2019-05-13 18:30:03 +02:00
Lucas Servén Marín
d7ad946ff4
pkg/mesh: ignore CNI IP from private IPs
We need to ignore the CNI IP address from the searched IPs, as this will
not be a routable IP address.
2019-05-13 17:35:08 +02:00
Lucas Servén Marín
8ed1b549d1
pkg/mesh: edge case external = internal
Add an exception to the route generation rules for when the external IP
of a node equals the internal IP. In this case, we cannot route traffic
through a tunnel.
2019-05-13 17:25:56 +02:00
Lucas Servén Marín
e4ad7c29ec
manifests: keep private key between restarts
This commit ensures that the WireGuard private key is re-used between
container restarts. The result of this is that external peers can keep
using their configuration and don't need to be re-configured just
because the Kilo container restarted.
2019-05-10 22:21:56 +02:00
Lucas Servén Marín
35390054ba
pkg: deduplicate peer IP addresses
We need to defensively deduplicate peer allowed IPs.
If two peers claim the same IP, the WireGuard configuration
could flap, causing the interface to churn.
2019-05-10 02:07:42 +02:00
Lucas Servén Marín
4d9c203603
pkg/mesh,cmd: add WireGuard IP to Nodes
This allows admins or users to have some easy visibility into the
configuration of the Kilo cluster.
2019-05-10 02:06:02 +02:00
Lucas Servén Marín
034c27ab78
pkg: fix reconciling peer updates 2019-05-08 17:13:24 +02:00
Lucas Servén Marín
90e68c7735
cmd/kgctl: add output options for showconf
This commit adds several output options to the `showconf` command of the
`kgctl` binary:
* `--as-peer`: this can be used to generate a peer configuration, which
can be used to configure the selected resource as a peer of another
WireGuard interface
* `--output`: this can be used to select the desired output format of
the peer resource, available options are: WireGuard, YAML, and JSON.
2019-05-08 01:31:36 +02:00
Lucas Servén Marín
5914a9468f
docs: add topology docs and graphs 2019-05-07 16:36:02 +02:00
Lucas Servén Marín
9f30d8d1a1
pkg/mesh: rename mesh granularity types
This commit renames the mesh granularity types to make them more
intuitive. The functionality provided by them remains exactly the same.
2019-05-07 16:34:49 +02:00
Lucas Servén Marín
b3a3c37e0a
*: add complete CNI support
This commit enables Kilo to work as an independent networking provider.
This is done by leveraging CNI. Kilo brings the necessary CNI plugins to
operate and takes care of all networking.

Add-on compatibility for Calico, Flannel, etc, will be re-introduced
shortly.
2019-05-07 01:49:59 +02:00