setup masquerade rule for traffic destined for outside of cluster and pod network

Murali Reddy · Murali Reddy · commit 1478527cc8a3 · 2017-06-01T07:20:04.000+05:30
change added iptable rule in NAT table POSTROUTING chain to masqurade outbound traffic from the pods. Fixes #8
diff --git a/README.md b/README.md
@@ -37,6 +37,7 @@ Alternatively you can download the prebuilt binary from https://github.com/cloud
   --run-service-proxy               If false, kube-router won't setup IPVS for services proxy. true by default.
   --cleanup-config                  If true cleanup iptables rules, ipvs, ipset configuration and exit.
   --masquerade-all                  SNAT all traffic to cluster IP/node port. False by default
+  --cluster-cidr                    CIDR range of pods in the cluster. If specified external traffic from the pods will be masquraded
   --config-sync-period duration     How often configuration from the apiserver is refreshed. Must be greater than 0. (default 1m0s)
   --iptables-sync-period duration   The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m'). Must be greater than 0. (default 1m0s)
   --ipvs-sync-period duration       The maximum interval of how often ipvs config is refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. (default 1m0s)
diff --git a/app/controllers/network_routes_controller.go b/app/controllers/network_routes_controller.go
@@ -12,6 +12,7 @@ import (
 	"github.com/cloudnativelabs/kube-router/app/options"
 	"github.com/cloudnativelabs/kube-router/app/watchers"
 	"github.com/cloudnativelabs/kube-router/utils"
+	"github.com/coreos/go-iptables/iptables"
 	"github.com/golang/glog"
 	bgpapi "github.com/osrg/gobgp/api"
 	"github.com/osrg/gobgp/config"
@@ -34,6 +35,7 @@ type NetworkRoutingController struct {
 	peerRouter         string
 	asnNumber          uint32
 	peerAsnNumber      uint32
+	clusterCIDR        string
 }
 var(
 	activeNodes = make(map[string]bool)
@@ -79,6 +81,18 @@ func (nrc *NetworkRoutingController) Run(stopCh <-chan struct{}, wg *sync.WaitGr
 		}
 	}
 
+	if len(nrc.clusterCIDR) != 0 {
+		args := []string{"-s", nrc.clusterCIDR, "!", "-d", nrc.clusterCIDR, "-j", "MASQUERADE"}
+		iptablesCmdHandler, err := iptables.New()
+		if err != nil {
+			glog.Errorf("Failed to add iptable rule to masqurade outbound traffic from pods due to %s. External connectivity will not work.", err.Error())
+		}
+		err = iptablesCmdHandler.AppendUnique("nat", "POSTROUTING", args...)
+		if err != nil {
+			glog.Errorf("Failed to add iptable rule to masqurade outbound traffic from pods due to %s. External connectivity will not work.", err.Error())
+		}
+	}
+
 	// loop forever till notified to stop on stopCh
 	for {
 		select {
@@ -305,6 +319,7 @@ func NewNetworkRoutingController(clientset *kubernetes.Clientset, kubeRouterConf
 
 	nrc := NetworkRoutingController{}
 
+	nrc.clusterCIDR = kubeRouterConfig.ClusterCIDR
 	nrc.syncPeriod = kubeRouterConfig.RoutesSyncPeriod
 	nrc.clientset = clientset
 
diff --git a/app/options/options.go b/app/options/options.go
@@ -18,6 +18,7 @@ type KubeRouterConfig struct {
 	RunFirewall        bool
 	RunRouter          bool
 	MasqueradeAll      bool
+	ClusterCIDR        string
 	AdvertiseClusterIp bool
 	PeerRouter         string
 	ClusterAsn         string
@@ -44,6 +45,7 @@ func (s *KubeRouterConfig) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.Kubeconfig, "kubeconfig", s.Kubeconfig, "Path to kubeconfig file with authorization information (the master location is set by the master flag).")
 	fs.BoolVar(&s.CleanupConfig, "cleanup-config", s.CleanupConfig, "If true cleanup iptables rules, ipvs, ipset configuration and exit.")
 	fs.BoolVar(&s.MasqueradeAll, "masquerade-all", s.MasqueradeAll, "SNAT all traffic to cluster IP/node port. False by default")
+	fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "CIDR range of pods in the cluster. It is used to identify traffic originating from and destinated to pods.")
 	fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed.  Must be greater than 0.")
 	fs.DurationVar(&s.IPTablesSyncPeriod, "iptables-sync-period", s.IPTablesSyncPeriod, "The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m'). Must be greater than 0.")
 	fs.DurationVar(&s.IpvsSyncPeriod, "ipvs-sync-period", s.IpvsSyncPeriod, "The maximum interval of how often ipvs config is refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
