Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 0dca6c91ea9b8a14278aeb3a1a8ba6b512479862^! / . / metropolis / node / core / clusternet / wireguard.go
commit0dca6c91ea9b8a14278aeb3a1a8ba6b512479862[log] [tgz]
authorLorenz Brun <lorenz@monogon.tech>Tue Jan 28 15:04:13 2025 +0100
committerLorenz Brun <lorenz@monogon.tech>Wed Feb 05 14:55:23 2025 +0000
treed3a4605fa9cefa9dccc79fe3df71d1e4335381a8
parentb6ed72eabf092066a837fea4b68846376bd70e8a [diff] [blame]
metropolis: use interface groups

This adds interface groups to all K8s pod interfaces via a CNI plugin
patch and corresponding configuration. It also adds an interface group
to the clusternet interface. Using these new interface groups the
nftables rules for NAT can be simplified.

These will also be used by the network policy plugin later.

Change-Id: I4638a4349ccb12b8724ad28ae34bb61cac4b4ece
Reviewed-on: https://review.monogon.dev/c/monogon/+/3814
Tested-by: Jenkins CI
Reviewed-by: Jan Schär <jan@monogon.tech>

diff --git a/metropolis/node/core/clusternet/wireguard.go b/metropolis/node/core/clusternet/wireguard.go
index 9d14b98..cc5f941 100644
--- a/metropolis/node/core/clusternet/wireguard.go
+++ b/metropolis/node/core/clusternet/wireguard.go

@@ -86,7 +86,7 @@
 		}
 	}
 
-	wgInterface := &netlink.Wireguard{LinkAttrs: netlink.LinkAttrs{Name: clusterNetDeviceName, Flags: net.FlagUp}}
+	wgInterface := &netlink.Wireguard{LinkAttrs: netlink.LinkAttrs{Name: clusterNetDeviceName, Flags: net.FlagUp, Group: common.LinkGroupClusternet}}
 	if err := netlink.LinkAdd(wgInterface); err != nil {
 		return fmt.Errorf("when adding network interface: %w", err)
 	}