commit f042e6f95bb7dc771bf79f309dbdf0b34da933da
author Lorenz Brun <lorenz@nexantic.com> Wed Jun 24 16:46:09 2020 +0200
committer Lorenz Brun <lorenz@nexantic.com> Wed Jun 24 16:46:09 2020 +0200
tree f18c60fb92202ce2d5ec7041c85579865a81509d
parent b876fc31f12628562a51c70668b318b9fc50478b

Add Wireguard-based K8s pod networking

This adds a pod networking runnable based on Wireguard which watches all nodes
and adds their K8s IPAM allocations as routes into the kernel & WireGuard. It only depends
on K8s and only performs direct routing.

Test Plan: Manually tested by spinning up a two-node cluster and running two Alpine pods pinging eachother. Can be covered by E2E tests once we can do image preseeding for the test infra (T793).

Bug: T487

X-Origin-Diff: phab/D573
GitOrigin-RevId: ba3fc36f421fd75002f6cf8bea25ed6f1eb457b0

core/internal/containerd/cnispec.gojson

diff --git a/core/internal/containerd/cnispec.gojson b/core/internal/containerd/cnispec.gojson
new file mode 100644
index 0000000..0057036
--- /dev/null
+++ b/core/internal/containerd/cnispec.gojson
@@ -0,0 +1,29 @@
+{{- /*gotype: github.com/containerd/cri/pkg/server.cniConfigTemplate*/ -}}
+{
+    "name": "k8s-pod-network",
+    "cniVersion": "0.3.1",
+    "plugins": [
+        {
+            "type": "ptp",
+            "mtu": 1420,
+            "ipam": {
+                "type": "host-local",
+                "dataDir": "/containerd/run/ipam",
+                "ranges": [
+                    {{range $i, $range := .PodCIDRRanges}}{{if $i}},
+            {{end}}[
+            {
+                "subnet": "{{$range}}"
+            }
+        ]
+        {{end}}
+    ],
+    "routes": [
+        {{range $i, $route := .Routes}}{{if $i}},
+    {{end}}{
+    "dst": "{{$route}}"
+}{{end}}]
+}
+}
+]
+}
\ No newline at end of file