Skip to content

Instantly share code, notes, and snippets.

@aojea

aojea/README.md

Last active April 16, 2023 09:21
Show Gist options
  • Save aojea/50ec0d10807d1907ecc6ece526f991da to your computer and use it in GitHub Desktop.
Save aojea/50ec0d10807d1907ecc6ece526f991da to your computer and use it in GitHub Desktop.
Download ZIP
Noop ipmasq-agent
Raw
README.md 
$ wget https://gist.githubusercontent.com/aojea/50ec0d10807d1907ecc6ece526f991da/raw/15371f0f2cf48f2e6a75db7f71a7e674e8dfc624/ipmasq.yaml -O ipmasq-noop.yaml

$ kubectl apply -f ipmasq-noop.yaml
configmap/ip-masq-agent configured
daemonset.apps/ip-masq-agent unchanged

$ iptables-save  | grep ip-masq-agent
-A POSTROUTING -m comment --comment "ip-masq-agent: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
-A IP-MASQ -m comment --comment "ip-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE
Raw
ipmasq.yaml
apiVersion: v1
data:
config: |
nonMasqueradeCIDRs:
masqLinkLocal: true
resyncInterval: 60s
kind: ConfigMap
metadata:
name: ip-masq-agent
namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ip-masq-agent
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: ip-masq-agent
template:
metadata:
labels:
k8s-app: ip-masq-agent
spec:
hostNetwork: true
containers:
- name: ip-masq-agent
image: gke.gcr.io/ip-masq-agent:v2.9.3-v0.2.1-gke.1
args:
- --masq-chain=IP-MASQ
securityContext:
privileged: true
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: ip-masq-agent
optional: true
items:
- key: config
path: ip-masq-agent
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: "CriticalAddonsOnly"
operator: "Exists"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment