Add service proxy This adds a service proxy based on nfproxy and changes to the service IP allocation to make it work. Also adds support for masquerading outbound traffic for outbound network connectivity. Test Plan: Currently manually tested by creating an alpine pod and running 'apk add curl && curl -k https://192.168.188.1:443/'. Will be covered later by CTS. Bug: T810 X-Origin-Diff: phab/D580 GitOrigin-RevId: cace863fd8c2f045560f8abf84c40cc77bc275d4

commit: b682ba55d4a51babad2beebb470b0fef0e6067ca [log] [tgz]
author: Lorenz Brun <lorenz@nexantic.com> Wed Jul 08 14:51:36 2020 +0200
committer: Lorenz Brun <lorenz@nexantic.com> Wed Jul 08 14:51:36 2020 +0200
tree: d94c2bb98f3a47896558d9cd4d2cc0271a4558c7
parent: f85748717f32f0a74816de01b1e5f2e0104342c5 [diff] [blame]
diff --git a/core/internal/kubernetes/clusternet/clusternet.go b/core/internal/kubernetes/clusternet/clusternet.go
index 5c42bb8..e41ba8a 100644
--- a/core/internal/kubernetes/clusternet/clusternet.go
+++ b/core/internal/kubernetes/clusternet/clusternet.go

@@ -108,6 +108,7 @@
 		}
 		allowedIPs = append(allowedIPs, *podNet)
 	}
+	allowedIPs = append(allowedIPs, net.IPNet{IP: internalIP, Mask: net.CIDRMask(32, 32)})
 	s.logger.Debug("Adding/Updating WireGuard peer node", zap.String("node", newNode.Name),
 		zap.String("endpointIP", internalIP.String()), zap.Any("allowedIPs", allowedIPs))
 	// WireGuard's kernel side has create/update semantics on peers by default. So we can just add the peer multiple
commit	b682ba55d4a51babad2beebb470b0fef0e6067ca	[log] [tgz]
author	Lorenz Brun <lorenz@nexantic.com>	Wed Jul 08 14:51:36 2020 +0200
committer	Lorenz Brun <lorenz@nexantic.com>	Wed Jul 08 14:51:36 2020 +0200
tree	d94c2bb98f3a47896558d9cd4d2cc0271a4558c7
parent	f85748717f32f0a74816de01b1e5f2e0104342c5 [diff] [blame]