This commit cleans up the iptables package to allow other packages to
create rules.
This commit also removes all NAT from Kilo.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit fixes the ip allocator `newAllocator` to produce IP
addresses with the original network mask. This is makes more sense. The
original functionality can be reproduced by wrapping the produced IP
address with the `oneAddressCIDR` helper.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit modifies the build tooling so that we use the official
alipne build images rather than the images from the multiarch org. This
requires new logic to parse docker manifests but results in a cleaner
solution with fewer architecture definitions.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit updates the well-known label to determine the region of the
node to topology.kubernetes.io/region, which is the new standard as
defined by the Kubernetes documentation, now that
failure-domain.beta.kubernetes.io/region has been deprecated.
The certificates for the alpine APK repositories expired today [0],
breaking builds. This switches the configured repos to ones that work.
It also changes the `main` repo to use HTTPS.
[0] uk.alpinelinux.org expired Nov 15 2019 at 02:00:31 UTC
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit takes a big step towards ensuring that iptables rules are
always kept in the correct order. Specifically, when re-setting a a
ruleset, any time a rule is missing, that rule and all following rules
are re-added to ensure that from that index onwards all rules are in the
right order. Similarly, when reconciling an existing ruleset against the
backend, if a rule is missing, that rule an all following rules are
re-added.
This change does not guarantee that the order of rules in the backend
is correct. Unless an actor is modifying the order of rules in iptables,
all rules created by Kilo should now be kept in the correct order.
Fixes: #19
This commit makes it possible to specify the Kilo interface name. If the
specified interface exists, it will be used; if it does not exist, Kilo
will create it. If the interface already existed, then it will not be
deleted on shutdown; otherwise Kilo will destroy the interface.
Fixes: https://github.com/squat/kilo/issues/8
Addresses: 1/2 of https://github.com/squat/kilo/issues/17
Enhancement: change the kubeconfig hostPath for k3s agent nodes. This makes it easier to install Kilo on k3s as no manual kubeconfig copying is necessary. (#14)
Not all K8s installs will correctly match the node's hostname to the
node's name in the API. We can get around this by setting the name Kilo
uses to the node name in the API.
If the hostname fails to resolve, this should not be considered a
blocking error. Most likely, it means that the hostname is simply not
resolvable, which should not be a requirement to run Kilo. In this case,
simply try to find a valid IP from other sources.
This commit changes the build-system for Kilo to create container images
for multiple architectures. This will enable running Kilo on Arm
devices, e.g. Raspberry Pis. This is accomplished using Docker
manifests.
This commit adds basic support to run in compatibility mode with
Flannel. This allows clusters running Flannel as their principal
networking solution to leverage some advances Kilo features. In certain
Flannel setups, the clusters can even leverage muti-cloud. For this, the
cluster needs to either run in a full mesh, or Flannel needs to use the
API server's external IP address.
Add an exception to the route generation rules for when the external IP
of a node equals the internal IP. In this case, we cannot route traffic
through a tunnel.
This commit ensures that the WireGuard private key is re-used between
container restarts. The result of this is that external peers can keep
using their configuration and don't need to be re-configured just
because the Kilo container restarted.
We need to defensively deduplicate peer allowed IPs.
If two peers claim the same IP, the WireGuard configuration
could flap, causing the interface to churn.
