- add a route to exteranl ip in custom routing table to prevent martian packets
- switch between Masqurade and Tunnel for forwarding when DSR in disabled and enabled
as you annotate and remove DSR annotation, switch the IPVS server
type to tunneling to masqurade mode
also restrict preparing the pod for DSR only to the local pods
* Update DaemonSet, etc manifests
- Remove beta annotation versions of init containers
- Add YAML InitContainers spec to all manifests
- Add CNI config ConfigMap to all manifests
- Make indentation, volume names, etc consistent
- Set all kubeconfig volumes to readonly
* Use IfNotPresent image pull policy for vagrant testing
- Avoids an error with busybox init container image fetching
* Move getNodeIP logic to utils package
Remove redundant ipset lookups
utils.NewIPSet() does this for us.
* Don't masquerade pod -> nodeAddrsIPSet traffic
Previously with Pod egress enabled, this would get masqueraded.
This change also adds cleanup for said ipset.
* Enhanced cleanup of Pod egress, overlay networking
- Delete old/bad pod egress iptables rule(s) from old versions
- When pod egress or overlay are disabled, cleanup as needed
* Update IPSet.Sets to map type
* ipset enhancements
- Avoid providing method that would delete all ipset sets on a system
- New method DestroyAllWithin() destroys sets tracked by an IPSet
- Create() now handles cases where Sets/System state are not in sync
- Refresh() now handles leftover -temp set gracefully
- Swap() now uses ipset swap
- Delete() improved sync of Sets and system state
- Get() now validates if map element exists before trying
- etc
* Update routes controller to reflect ipset changes
* Add --peer-router-password option
Also:
- Consolodated NRC peer fields into a []config.NeighborConfig
to store address, asn, and password for each peer.
- BREAKING: --peer-router and --peer-asn flags now take slices
rather than strings.
* Add password auth node annotation for external peer
* Update documentation
New CLI flags and annotations
Renamed ones as well
* Consistent CLI flags, annotations, and peer config
BGP configs now all accept multiple values and are treated consistently.
Other refactoring was done as well.
* Stop bgpserver on peering errors to avoid listener leak
* Clarify BGP doc sections
Fix some typos
where nodes are in different subnet. With tunneling disabled its expected that default
gateway has learned the pod CIDR's allocated for all the nodes and can route the
pod-to-pod traffic across nodes in different subnets
Fixes#119
This fix introduces flag nodeport-bindon-all-ip with which you can have kube-proxy like behaviour. If not specified
only nodeIP will be open for connections.
Fixes#139
- ip rule to lookup custom route table for packets arriving from the pods
- in the custom route table add route to route traffic to remote node through tunnel interface
Fixes#138
