From 40a94947c8b160b59d4b3e1802a66c61f65b5c8f Mon Sep 17 00:00:00 2001 From: Aleksandr Didenko Date: Mon, 3 Oct 2016 12:08:41 +0200 Subject: [PATCH] Add support for --masquerade-all in kube-proxy New boolean var `kube_proxy_masquerade_all` which enables/disables `--masquerade-all` argument for kube-proxy. Closes #524 --- roles/kubernetes/node/defaults/main.yml | 3 +++ .../kubernetes/node/templates/manifests/kube-proxy.manifest.j2 | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index 94da756be..2c1738370 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -8,6 +8,9 @@ kube_resolv_conf: "/etc/resolv.conf" kube_proxy_mode: iptables +# If using the pure iptables proxy, SNAT everything +kube_proxy_masquerade_all: true + # kube_api_runtime_config: # - extensions/v1beta1/daemonsets=true # - extensions/v1beta1/deployments=true diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 index 296658cbd..f0c4bc211 100644 --- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 @@ -18,6 +18,9 @@ spec: {% endif %} - --bind-address={{ ip | default(ansible_default_ipv4.address) }} - --proxy-mode={{ kube_proxy_mode }} +{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %} + - --masquerade-all +{% endif %} securityContext: privileged: true volumeMounts: