I'd like to propose moving mtaufen/non-masquerade-daemon under the kubernetes-incubator/ org. As this is a network configuration daemon, I believe this effort belongs under sig-network.
The OWNERS file in the above repo should serve as the OWNERS file for this proposal. The README in the above repo provides more details, but I'll summarize here:
This daemon solves the problem of configuring the CIDR ranges for non-masquerade in a cluster (via iptables rules). Today, this is accomplished by passing a
--non-masquerade-cidr flag to the Kubelet, which only allows one CIDR to be configured as non-masquerade. RFC 1918, however, defines three ranges (
192.168/16) for the private IP address space.
Some users will want to communicate between these ranges without masquerade - for instance, if an organization's existing network uses the
10/8 range, they may wish to run their cluster and
192.168/16 to avoid IP conflicts. They will also want these
Pods to be able to communicate efficiently (no masquerade) with each-other and with their existing network resources in
10/8. This requires that every node in their cluster skips masquerade for both ranges.
We are trying to eliminate networking code from the Kubelet, so rather than extend the Kubelet to accept multiple CIDRs, mtaufen/non-masquerade-daemon allows you to run a DaemonSet that configures a list of CIDRs as non-masquerade.
We may want to consider a better name. By default, there is no masquerade at all. Running this daemon means you will masquerade all traffic EXCEPT what is configured here.