Add Wireguard-based K8s pod networking
This adds a pod networking runnable based on Wireguard which watches all nodes
and adds their K8s IPAM allocations as routes into the kernel & WireGuard. It only depends
on K8s and only performs direct routing.
Test Plan: Manually tested by spinning up a two-node cluster and running two Alpine pods pinging eachother. Can be covered by E2E tests once we can do image preseeding for the test infra (T793).
Bug: T487
X-Origin-Diff: phab/D573
GitOrigin-RevId: ba3fc36f421fd75002f6cf8bea25ed6f1eb457b0
diff --git a/core/internal/containerd/BUILD.bazel b/core/internal/containerd/BUILD.bazel
index 56c2822..a1deae0 100644
--- a/core/internal/containerd/BUILD.bazel
+++ b/core/internal/containerd/BUILD.bazel
@@ -15,6 +15,5 @@
exports_files([
"config.toml",
"runsc.toml",
- "loopback.json",
- "ptp.json",
+ "cnispec.gojson",
])
diff --git a/core/internal/containerd/cnispec.gojson b/core/internal/containerd/cnispec.gojson
new file mode 100644
index 0000000..0057036
--- /dev/null
+++ b/core/internal/containerd/cnispec.gojson
@@ -0,0 +1,29 @@
+{{- /*gotype: github.com/containerd/cri/pkg/server.cniConfigTemplate*/ -}}
+{
+ "name": "k8s-pod-network",
+ "cniVersion": "0.3.1",
+ "plugins": [
+ {
+ "type": "ptp",
+ "mtu": 1420,
+ "ipam": {
+ "type": "host-local",
+ "dataDir": "/containerd/run/ipam",
+ "ranges": [
+ {{range $i, $range := .PodCIDRRanges}}{{if $i}},
+ {{end}}[
+ {
+ "subnet": "{{$range}}"
+ }
+ ]
+ {{end}}
+ ],
+ "routes": [
+ {{range $i, $route := .Routes}}{{if $i}},
+ {{end}}{
+ "dst": "{{$route}}"
+}{{end}}]
+}
+}
+]
+}
\ No newline at end of file
diff --git a/core/internal/containerd/config.toml b/core/internal/containerd/config.toml
index 5a7e2f6..415391a 100644
--- a/core/internal/containerd/config.toml
+++ b/core/internal/containerd/config.toml
@@ -90,8 +90,8 @@
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/containerd/bin/cni"
conf_dir = "/containerd/conf/cni"
- max_conf_num = 1
- conf_template = ""
+ max_conf_num = 0
+ conf_template = "/containerd/conf/cnispec.gojson"
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
diff --git a/core/internal/containerd/loopback.json b/core/internal/containerd/loopback.json
deleted file mode 100644
index f375c5d..0000000
--- a/core/internal/containerd/loopback.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- "cniVersion": "0.3.0",
- "type": "loopback"
-}
diff --git a/core/internal/containerd/ptp.json b/core/internal/containerd/ptp.json
deleted file mode 100644
index d95da5d..0000000
--- a/core/internal/containerd/ptp.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- "name": "k8s-pod-network",
- "cniVersion": "0.3.1",
- "type": "ptp",
- "mtu": 1420,
- "ipam": {
- "type": "host-local",
- "subnet": "192.168.198.0/24",
- "routes": [{ "dst": "0.0.0.0/0" }],
- "dataDir": "/containerd/run/ipam"
- }
-}