Add service proxy This adds a service proxy based on nfproxy and changes to the service IP allocation to make it work. Also adds support for masquerading outbound traffic for outbound network connectivity. Test Plan: Currently manually tested by creating an alpine pod and running 'apk add curl && curl -k https://192.168.188.1:443/'. Will be covered later by CTS. Bug: T810 X-Origin-Diff: phab/D580 GitOrigin-RevId: cace863fd8c2f045560f8abf84c40cc77bc275d4

commit: b682ba55d4a51babad2beebb470b0fef0e6067ca [log] [tgz]
author: Lorenz Brun <lorenz@nexantic.com> Wed Jul 08 14:51:36 2020 +0200
committer: Lorenz Brun <lorenz@nexantic.com> Wed Jul 08 14:51:36 2020 +0200
tree: d94c2bb98f3a47896558d9cd4d2cc0271a4558c7
parent: f85748717f32f0a74816de01b1e5f2e0104342c5 [diff] [blame]
diff --git a/core/internal/kubernetes/pki/kubernetes.go b/core/internal/kubernetes/pki/kubernetes.go
index 48ce6e9..0de8f6d 100644
--- a/core/internal/kubernetes/pki/kubernetes.go
+++ b/core/internal/kubernetes/pki/kubernetes.go

@@ -103,7 +103,7 @@
 			"kubernetes.default.svc.cluster.local",
 			"localhost",
 		},
-		[]net.IP{{127, 0, 0, 1}}, // TODO(q3k): add service network internal apiserver address
+		[]net.IP{{10, 0, 255, 1}, {127, 0, 0, 1}}, // TODO(q3k): add service network internal apiserver address
 	))
 	make(IdCA, KubeletClient, Client("smalltown:apiserver-kubelet-client", nil))
 	make(IdCA, ControllerManagerClient, Client("system:kube-controller-manager", nil))
commit	b682ba55d4a51babad2beebb470b0fef0e6067ca	[log] [tgz]
author	Lorenz Brun <lorenz@nexantic.com>	Wed Jul 08 14:51:36 2020 +0200
committer	Lorenz Brun <lorenz@nexantic.com>	Wed Jul 08 14:51:36 2020 +0200
tree	d94c2bb98f3a47896558d9cd4d2cc0271a4558c7
parent	f85748717f32f0a74816de01b1e5f2e0104342c5 [diff] [blame]