Use dedicated node with WireGuard VPN connection for services that are only available via the WireGaurd connections
192.168.1.0/24 network behind retail cable modem/router/dhcp server
CentOS Stream 9 wired connection to 192.169.1.0/24 network
k3s control-plane node
podCIDR 10.42.0.0/24
CentOS Stream 9 wired connection to 192.168.1.0/24 network k3s worker node
podCIDR 10.42.1.0/24
Fedora 38 wired connection to 102.168.1.0/24 network
This workstation is not participating in k3s cluster
This workstation most not have docker service running. Docker service automatically enabled Linux kernel bridge iptables filtering on all bridge devices, which will interfere with local bridge device tests (until appropriate firewall rules are put in place)
configured to use kubectl access to k3s cluster via the 192.168.1.0/24 network address provided by k3s install.
Will add bridge device br0 connected to two network namespaces on private 10.100.2.0/24 network
- create wireguard tunnel between worker-node and workstation
- create linux bridge device on workstation and attach network namespaces to the 10.100.2.0/24 private network
- test connectivity into and out of workstation network namespace via bridge device using diagnostic nc service.
- label k3s nodes
- deploy test pods, one to each node using node selector labels
- test to ensure pod on worker-node has access to diagnostic nc service but pod on control-plane-node does not have access to the diagnostic service
- install Cilium egress policy for diagnostic service address/port
- test to ensure pods on both worker-node and control-plane-node have acess to the diagnostic service