Merge pull request #229 from DockToFuture/remove/snat

Disable SNAT for clusters without overlay
gardener · Jan 18, 2023 · 90d4df2 · 90d4df2
2 parents 5351ffb + 735c523
commit 90d4df2
Show file tree

Hide file tree

Showing 13 changed files with 325 additions and 20 deletions.
diff --git a/charts/internal/calico/templates/ippool/ippool.yaml b/charts/internal/calico/templates/ippool/ippool.yaml
@@ -0,0 +1,42 @@
+{{- if eq .Values.global.overlayEnabled "true" }}
+---
+apiVersion: crd.projectcalico.org/v1
+kind: IPPool
+metadata:
+  name: default-ipv4-ippool
+spec:
+  allowedUses:
+  - Workload
+  - Tunnel
+  blockSize: 26
+  cidr: "{{ .Values.global.podCIDR }}"
+  ipipMode: Always
+  natOutgoing: true
+  nodeSelector: all()
+  vxlanMode: Never
+{{- end }}
+{{- if eq .Values.global.overlayEnabled "false" }}
+---
+apiVersion: crd.projectcalico.org/v1
+kind: IPPool
+metadata:
+  name: default-ipv4-ippool
+spec:
+  allowedUses:
+  - Workload
+  - Tunnel
+  blockSize: 26
+  cidr: "{{ .Values.global.podCIDR }}"
+  ipipMode: Never
+  natOutgoing: true
+  nodeSelector: all()
+  vxlanMode: Never
+---
+apiVersion: crd.projectcalico.org/v1
+kind: IPPool
+metadata:
+  name: no-snat-for-node-cidr
+spec:
+  cidr: "{{ .Values.global.nodeCIDR }}"
+  disabled: true
+{{- end }}
diff --git a/charts/internal/calico/templates/node/daemonset-calico-node.yaml b/charts/internal/calico/templates/node/daemonset-calico-node.yaml
@@ -53,6 +53,13 @@ spec:
       terminationGracePeriodSeconds: 0
       priorityClassName: system-node-critical
       initContainers:
+      {{- if eq .Values.global.overlayEnabled "false" }}
+      - name: cleanup-routes
+        image: {{ index .Values.images "calico-node" }}
+        command: ["sh", "-c", "IFS=$'\n';for i in $(ip route | grep 'proto bird');do unset IFS;ip route del $i;done"]
+        securityContext:
+          privileged: true
+      {{- end }}
       # This container installs the CNI binaries
       # and CNI network config file on each node.
       - name: install-cni
@@ -159,6 +166,27 @@ spec:
         # Runs calico-node container on each Kubernetes node. This
         # container programs network policy and routes on each
         # host.
+        # Masquerade traffic to upstream DNS server
+        {{- if eq .Values.global.snatToUpstreamDNSEnabled "true" }}
+        - name: add-snat-rule-to-upstream-dns
+          image: {{ index .Values.images "calico-node" }}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          env:
+          - name: POD_CIDR
+            value: {{ .Values.global.podCIDR }}
+          resources:
+            requests:
+              cpu: 10m
+              memory: 50Mi
+          command:
+          - /bin/sh
+          - -c
+          - "while true; do sleep 15; for i in $(cat /etc/resolv.conf | grep nameserver | sed -n -e 's/^.*nameserver //p' ); do iptables -t nat -C POSTROUTING -s ${POD_CIDR} -d $i/32 ! -o cali+ -m comment --comment \"calico masquerade non-cluster\" -j MASQUERADE 2>/dev/null || iptables -t nat -I POSTROUTING 1 -s ${POD_CIDR} -d $i/32 ! -o cali+ -m comment --comment \"calico masquerade non-cluster\" -j MASQUERADE; done; sleep 45; done"
+        {{- end }}
         - name: calico-node
           image: {{ index .Values.images "calico-node" }}
           envFrom:
@@ -272,6 +300,10 @@ spec:
             # Limit NAT port range: https://github.com/projectcalico/felix/pull/1838
             - name: FELIX_NATPORTRANGE
               value: "32768:65535"
+            {{- if eq .Values.global.snatToUpstreamDNSEnabled "true" }}
+            - name: FELIX_CHAININSERTMODE
+              value: "Append"
+            {{- end }}
             # Enable automatic management of kubeconfig used by CNI (required due to limited lifetime of service account tokens, default in starting with kubernetes v1.21, BoundServiceAccountTokenVolume feature)
             - name: CALICO_MANAGE_CNI
               value: "true"

diff --git a/charts/internal/calico/values.yaml b/charts/internal/calico/values.yaml
@@ -1,5 +1,8 @@
 global:
   podCIDR: ""
+  nodeCIDR: ""
+  overlayEnabled: ""
+  snatToUpstreamDNSEnabled: ""
 config:
   veth_mtu: 1440
   backend: bird

diff --git a/hack/api-reference/calico.md b/hack/api-reference/calico.md
@@ -140,6 +140,20 @@ Overlay
 </tr>
 <tr>
 <td>
+<code>snatToUpstreamDNS</code></br>
+<em>
+<a href="#calico.networking.extensions.gardener.cloud/v1alpha1.SnatToUpstreamDNS">
+SnatToUpstreamDNS
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SnatToUpstreamDNS enables the masquerading of packets to the upstream dns server</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>ipip</code></br>
 <em>
 <a href="#calico.networking.extensions.gardener.cloud/v1alpha1.IPv4PoolMode">
@@ -385,6 +399,35 @@ bool
 </tr>
 </tbody>
 </table>
+<h3 id="calico.networking.extensions.gardener.cloud/v1alpha1.SnatToUpstreamDNS">SnatToUpstreamDNS
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#calico.networking.extensions.gardener.cloud/v1alpha1.NetworkConfig">NetworkConfig</a>)
+</p>
+<p>
+<p>SnatToUpstreamDNS  enables the masquerading of packets to the upstream dns server</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>enabled</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="calico.networking.extensions.gardener.cloud/v1alpha1.Typha">Typha
 </h3>
 <p>

diff --git a/pkg/apis/calico/types_network.go b/pkg/apis/calico/types_network.go
@@ -77,6 +77,8 @@ type NetworkConfig struct {
 	EbpfDataplane *EbpfDataplane
 	// Overlay enables the network overlay
 	Overlay *Overlay
+	// SnatToUpstreamDNS enables the masquerading of packets to the upstream dns server
+	SnatToUpstreamDNS *SnatToUpstreamDNS
 
 	// DEPRECATED.
 	// IPIP is the IPIP Mode for the IPv4 Pool (e.g. Always, Never, CrossSubnet)
@@ -123,3 +125,8 @@ type Overlay struct {
 	// Enabled enables the network overlay.
 	Enabled bool
 }
+
+// SnatToUpstreamDNS  enables the masquerading of packets to the upstream dns server
+type SnatToUpstreamDNS struct {
+	Enabled bool
+}
diff --git a/pkg/apis/calico/v1alpha1/types_network.go b/pkg/apis/calico/v1alpha1/types_network.go
@@ -88,6 +88,9 @@ type NetworkConfig struct {
 	// Overlay enables the network overlay
 	// +optional
 	Overlay *Overlay `json:"overlay,omitempty"`
+	// SnatToUpstreamDNS enables the masquerading of packets to the upstream dns server
+	// +optional
+	SnatToUpstreamDNS *SnatToUpstreamDNS `json:"snatToUpstreamDNS,omitempty"`
 
 	// DEPRECATED.
 	// IPIP is the IPIP Mode for the IPv4 Pool (e.g. Always, Never, CrossSubnet)
@@ -137,3 +140,8 @@ type Overlay struct {
 	// Enabled enables the network overlay.
 	Enabled bool `json:"enabled"`
 }
+
+// SnatToUpstreamDNS  enables the masquerading of packets to the upstream dns server
+type SnatToUpstreamDNS struct {
+	Enabled bool `json:"enabled"`
+}
diff --git a/pkg/apis/calico/v1alpha1/zz_generated.conversion.go b/pkg/apis/calico/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/calico/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/calico/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/calico/zz_generated.deepcopy.go b/pkg/apis/calico/zz_generated.deepcopy.go