I'd like to propose moving mtaufen/non-masquerade-daemon under the kubernetes-incubator/ org. As this is a network configuration daemon, I believe this effort belongs under sig-network.
The OWNERS file in the above repo should serve as the OWNERS file for this proposal. The README in the above repo provides more details, but I'll summarize here:
This daemon solves the problem of configuring the CIDR ranges for non-masquerade in a cluster (via iptables rules). Today, this is accomplished by passing a --non-masquerade-cidr
flag to the Kubelet, which only allows one CIDR to be configured as non-masquerade. RFC 1918, however, defines three ranges (10/8
, 172.16/12
, 192.168/16
) for the private IP address space.
Some users will want to communicate between these ranges without masquerade - for instance, if an organization's existing network uses the 10/8
range, they may wish to run their cluster and Pod
s in 192.168/16
to avoid IP conflicts. They will also want these Pod
s to be able to communicate efficiently (no masquerade) with each-other and with their existing network resources in 10/8
. This requires that every node in their cluster skips masquerade for both ranges.
We are trying to eliminate networking code from the Kubelet, so rather than extend the Kubelet to accept multiple CIDRs, mtaufen/non-masquerade-daemon allows you to run a DaemonSet that configures a list of CIDRs as non-masquerade.
We may want to consider a better name. By default, there is no masquerade at all. Running this daemon means you will masquerade all traffic EXCEPT what is configured here.
ip-masquerade-controller
?ip-masquerade-configurator
?ip-masquerade-agent
?