Commit Graph

80 Commits

Author SHA1 Message Date
Lucas Servén Marín
e598102f04
pkg/mesh: fix routes for NATed nodes
Currently, when a node is behind NAT, it is possible that routes to the
node's private IP address, i.e. routes necessary to communicate with the
Kubelet and any Pods on the host network, will not be created because
the private IP is seen as the same as the location's endpoint and is
thus skipped because trying to encapsulate traffic to the endpoint would
break communiation with the endpoint itself.

This logic is not correct for nodes that are behind NAT, because the
endpoin that the node reports may not be the same as the discovered
endpoint for the location. Instead, we should compare the private IP
address to the discovered endpoint.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-03-30 13:58:29 +02:00
Lucas Servén Marín
a1af9790ea
Merge pull request #278 from SerialVelocity/fix-peer-node-equality-checking
Fix peer and node equality checking
2022-03-01 21:09:46 +01:00
Ben Grabham
3bf7eacc7e Fix private key generation code 2022-03-01 18:21:08 +00:00
Ben Grabham
6d6c62ae49 Fix peer and node equality checking 2022-03-01 18:09:25 +00:00
leonnicolas
6a696e03e7
migrate to golang.zx2c4.com/wireguard/wgctrl (#239)
* migrate to golang.zx2c4.com/wireguard/wgctrl

This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor wgctrl

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* apply suggestions from code review

Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/*: use wireguard.Enpoint

This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.

Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/wireguard/conf_test.go: add tests for Endpoint

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kg/main.go: validate port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* add suggestions from review

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/mesh/mesh.go: use Equal func

Implement an Equal func for Enpoint and use it instead of comparing
strings.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kgctl/main.go: check port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2022-01-30 17:38:45 +01:00
leonnicolas
ac65330c71
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-11-01 19:02:49 +01:00
leonnicolas
c59ac10e15
pkg/mesh/routes.go: forward private IPs and allowed location IPs
If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-17 19:58:17 +02:00
leonnicolas
3de4bf527b
pkg/mesh/routes.go: add iptbales forward allow rules for segment.
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR  and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-11 23:41:41 +02:00
leonnicolas
70d2751030
bumg golang 1.15 -> 1.17
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-09-30 17:47:47 +02:00
leonnicolas
9b14c227a9
pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain (#244)
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain

Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* Update cmd/kg/main.go

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>

* Update cmd/kg/main.go

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-09-30 14:39:06 +02:00
Sean Baildon
3174467751
pkg/mesh: optionally assign external IP to node's private IP (#232) 2021-09-24 10:02:51 +02:00
Sean Baildon
9ec155b843 pkg/mesh: filter local IP addresses when scanning for ips resolved by hostname 2021-08-22 12:40:55 +01:00
Lucas Servén Marín
2c74a560c4
pkg/wireguard: allow configuring MTU (#215)
This commit makes it possible to configure the MTU for the WireGuard
interface created by Kilo.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-07-16 14:23:11 +02:00
Julien Viard de Galbert
e12b5029d7
Use LatestHandshake to validate endpoint (#149)
* wireguard: `wg show iface dump` reader and parser

* mesh: use LatestHandshake to validate NAT Endpoints

* add skip on error

* switch to loop parsing

So the stop on error pattern can be used

* Add error handling to ParseDump
2021-07-06 14:14:59 +02:00
leonnicolas
088578b055
pkg/ cmd/: kgctl autodetect mesh granularity
Addes granularity annotation to auto detect the mesh granularity when
using kubectl

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-06-18 15:59:25 +02:00
leonnicolas
31ffaa0e71
pkg/: FEATURE: support allowed IPs outside a cluster
Users can specify IPs with the annotation "allowed-location-ips".
It makes no difference which node of a location is annotated.
The IP should be routable from the particular location, e.g. a printer in
the same LAN.
This way these IPs become routable from other location.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-06-15 22:17:35 +02:00
Lucas Servén Marín
166094b5ad
Merge pull request #148 from JulienVdG/sync-not-ready
RFC: Remove syncNodes/syncPeers 'not Ready' special case
2021-04-21 19:49:12 +02:00
Julien Viard de Galbert
2ac000c68a
Nat to nat (#146)
* wireguard: export an Endpoint comparison method

* Record discovered endpoints in node

* Synchronize DiscoveredEndpoints in k8s backend

* Add discoveredEndpointsAreEqual

* Handle discovered Endpoints in topology to enable NAT 2 NAT

* Refactor to use Endpoint.Equal

Compare IP first by default and compare DNS name first when we know the Endpoint was resolved.

* Drop the shallow copies of nodes and peers

Now that updateNATEndpoints was updated to discoverNATEndpoints and that
the endpoints are overridden by topology instead of mutating the nodes and
peers object, we can safely drop this copy.
2021-04-21 19:47:29 +02:00
Julien Viard de Galbert
81f592de74 Remove syncNodes/syncPeers not Ready special case
First the comment "so remove it from the mesh" is wrong / missleading as
since 034c27ab78 the delete in that if is
not in there anymore.

Second the m.nodes map is not updated so setting `diff = true` will call `applyTopology` without any changes... which seams useless.

Third the rest of the code already checks for Ready so this special case
here should not be needed.
2021-04-21 11:33:37 +02:00
leonnicolas
a6fcab6878
pkg/mesh/graph.go: fix format
Previously the newlines were ignored by circo.
This lead to very flat ellipses.
Masked newlines "\\n" are correctly handeled.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-03-26 11:12:05 +01:00
Lucas Servén Marín
d1948acd77
pkg/mesh: fix panic in graph
Commit 4d00bc56fe introduced a bug in the
Kilo graph generation logic. This commit used the WireGuard CIDR from
the topology struct as the graph title, however this field is nil
whenever the selected node is not a leader, causing the program to
panic.

This commit changes the meaning of the topology struct's wireGuardCIDR
field so that the field is always defined and the normalized value will
always be equal to the Kilo subnet CIDR. When the selected node is a
leader node, then the field's IP will be the IP allocated to the node
within the subnet. This effectively prevents the program from panicking.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-25 02:59:54 +01:00
leonnicolas
9d10d4a3de
FEATURE: allow disabling private IPs
When forcing the internal IP to "" or "-", private IPs won't be used.
2021-03-13 23:33:18 +01:00
leonnicolas
db62b273c0
pkg/mesh/mesh.go: actually add resync period
resync period was not added to mesh struct.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-03-13 16:31:09 +01:00
Lucas Servén Marín
39803cef66
pkg/mesh: correctly check 172.16/12 IP range
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-06 00:50:48 +01:00
Lucas Servén Marín
7cc707f335
pkg/mesh: correctly idenitfy 172.16/12 IPs
Currently Kilo incorrectly identifies the 172.16/12 private IP range.
This commit fixes the logic.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-05 18:27:12 +01:00
Lucas Servén Marín
8dbbc636b5
cmd/kg,pkg: add --resync-period flag
This commit introduces a new `--resync-period` flag to control how often
the Kilo controllers should reconcile.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-01 18:20:06 +01:00
Lucas Servén Marín
4b32c49ae1
pkg/iptables: add logger to iptables controller
This commit adds a logger to the iptables controller using the options
pattern. It also logs when the controller needs to reset rules, to be
able to identify costly reconciliations.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-02-26 20:54:16 +01:00
Lucas Servén Marín
acfd0bbaec
pkg/iptables: reduce calls to iptables
Currently, every time the iptables controller syncs rules, it spawns an
an iptables process for every rule it checks. This causes two problems:
1. it creates unnecessary load on the system; and
2. it causes contention on the xtables lock file.

This commit creates a lazy cache for iptables rules and chains that
avoids spawning iptables processes. This means that each time the
iptables rules are reconciled, if no rules need to be changed then at
most one iptables process should be spawned to check all of the rules in
a chain and at most one process should be spawned to check all of the
chains in a table.

Note: the success of this reduction in calls to iptables depends on a
somewhat fragile comparison of iptables rule text. The text of any rule
must match exactly, including the order of the flags. An improvement to
come would be to implement an iptables rule parser than can be used to
check semantic equivalence betweem iptables rules.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-02-20 19:24:06 +01:00
leonnicolas
52d8d13047
pkg/mesh/mesh.go: iptables rules in encapsulation
Because of new naming conventions for locations, the CIDRs were not
being set within locations.
This lead to no iptables rules added for nodes in the same location.
2021-02-20 02:00:57 +01:00
Ben Grabham
709c1ec6c0
Don't add generic ACCEPT rules to the filter chain 2021-02-15 12:00:25 +00:00
Lucas Servén Marín
03545d674f
pkg/mesh: don't shadow privIface
This commit fixes a bug where the variable holding the index of the
private interface was shadowed, causing it to always be "0".

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-01-30 20:09:50 +01:00
Lucas Servén Marín
f61b902128
Merge pull request #106 from leonnicolas/bug_iptables
BUG: iptables rules
2021-01-30 17:42:28 +01:00
leonnicolas
448f618c60
BUG: iptables rules
Add default iptables to allow forward traffic from and to pod cidr.

Previously Kilo expected the default behaviour of the forward chain to
accept packets, which can not be guaranteed.
2021-01-30 12:52:30 +01:00
Lucas Servén Marín
3563e660dc
Merge pull request #105 from squat/fix_graph_title
pkg/mesh/graph.go: use WireGuard CIDR as title
2021-01-29 18:21:11 +01:00
Lucas Servén Marín
4d00bc56fe
pkg/mesh/graph.go: use WireGuard CIDR as title
This commit changes the graph so that the WireGuard CIDR is used as the
title rather than the pod subnet assigned to a node in the cluster.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-01-29 15:49:42 +01:00
leonnicolas
3a201ba0fa
Nodes without private IPs
Allow nodes to have no private IPs.
Nodes without private IPs will automatically be put into
their own location.
2021-01-24 22:37:24 +01:00
Lucas Servén Marín
95c0143b1a
pkg/mesh/mesh.go: ignore Kilo IP during discovery
This ensures that Kilo will not select an IP assigned to the Kilo
interface when discovering public and private IPs.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-01-19 20:25:50 +01:00
leonnicolas
e30cff5293
FEATURE: user space wireguard
Add the possibility to use a user space implementation of wireguard. Specifically, the rust implementation boringtun.
2020-12-29 18:50:58 +01:00
Lucas Servén Marín
45cedbb84a
pkg/*: allow kgctl to compile for other OSes
This commit enables the compilation of kgctl when GOOS!=linux.
This fixes #56.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-11-14 12:16:07 +01:00
Lucas Servén Marín
5e970d8b42
pkg/mesh: small change for clarity
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-09-18 16:11:01 +02:00
Lucas Servén Marín
116fb7337a
pkg/k8s: enable peers to use DNS names
This commit enables peers defined using the Peer CRD to declare their
endpoints using DNS names.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-09-17 14:48:38 +02:00
Lucas Servén Marín
82c819659d
pkg/mesh: introduce kilo_leader guage metric
This commit introduces a new Prometheus metric to detect if the node is
a leader of its location, from its own point of view.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-25 10:16:50 +02:00
Lucas Servén Marín
968d13148f
pkg/mesh: update persistent keepalive on change
Previously, when udpdating the persistent keepalive of a node via
annotations, the node's WireGuard configuration was not updated. This
corrects the behavior.

Fixes: #54

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-06 15:54:34 +02:00
Lucas Servén Marín
0a10dc921c
pkg/k8s/apis: support for preshared keys in peers
This commit adds support for defining preshared keys when declaring a
new Peer CRD. This preshared key will be used whenever the nodes in the
Kilo mesh communicate with that peer.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 11:36:43 +02:00
Lucas Servén Marín
e4829832c5
pkg/mesh: ensure persistent-keepalive set on nodes
A bug identified by @carlosrmendes caused nodes to ignore the
persistent-keepalive annotation.

xref: https://github.com/squat/kilo/issues/53#issuecomment-620945927

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-04-30 13:53:38 +02:00
Lucas Servén Marín
b668c1ec3e
pkg/iptables: enable simultaneous ipv4 and ipv6
This commit enables simultaneously managing IPv4 and IPv6 iptables
rules. This makes it possible to have peers with IPv6 allowed IPs in an
otherwise IPv4 stack and vice versa.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 16:07:48 +01:00
Lucas Servén Marín
7051b9fe29
pkg/mesh: enable outgoing NAT to WAN
This commit enables NAT-ing packets outgoing to the WAN from both the
Pod subnet as well as from peers. This means that Pods can access the
Internet and that peers can use the Kilo mesh as a gateway to the
Internet.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 18:45:01 +01:00
Lucas Servén Marín
b54b31b699
pkg/mesh: enable generating config without peer
This commit re-enables old functionality, which permitted the generation
of the configuration for a cluster without any peers.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 16:06:41 +01:00
Lucas Servén Marín
29280a987e
pkg/mesh,pkg/wireguard: sync NAT endpoints
This commit changes how Kilo allows nodes and peers behind NAT to roam.
Rather that ignore changes to endpoints when comparing WireGuard
configurations, Kilo now incorporates changes to endpoints for peers
behind NAT into its configuration first and later compares the
configurations.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-04 01:37:08 +01:00
Lucas Servén Marín
24d7c27901
pkg/mesh,docs: document and fix keepalive logic
This commit documents the use of the persistent-keepalive annotation and
corrects the implementation of keepalives.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-04 01:36:56 +01:00