The ip-masq-agent is an extension for managing IP masquerading, that is, for managing SNAT (Source Network Address Translation) rules for IP ranges on nodes.
ip-masq-agent configures iptables rules to handle IP masquerading when traffic is sent to destinations outside the Kubernetes cluster nodes. By default, the three private IP ranges defined by RFC 1918 are not masqueraded, which are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Additionally, the link-local address range (169.254.0.0/16) is also considered as a non-masquerade range.
How to Deploy
Firstly, label the nodes where you want to run ip-masq-agent:
After deployment, check the iptables rules, you will find:
iptables-tnat-LIP-MASQ-AGENTRETURN all -- anywhere 169.254.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN all -- anywhere 10.0.0.0/8 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN all -- anywhere 172.16.0.0/12 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN all -- anywhere 192.168.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
MASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL
By doing so, if you check the iptables rules again, you will see:
$iptables-tnat-LIP-MASQ-AGENTChainIP-MASQ-AGENT (1 references)targetprotoptsourcedestinationRETURN all -- anywhere 169.254.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURNall--anywhere10.0.0.0/8/*ip-masq-agent:cluster-localMASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL
Windows IP Masquerading
While ip-masq-agent is only compatible with Linux, on Windows nodes a similar functionality can be achieved through CNI configuration by adding the ranges that should not be SNAT'ed to the ExceptionList of the OutBoundNAT policy:
Unleashing the ip-masq-agent for Kubernetes Networking
Manage your clusters' IP masquerading like a boss with ip-masq-agent!
Are you trying to tame the networking beast within your Kubernetes cluster? Look no further than the ip-masq-agent, the handy extension designed to manage those sneaky SNAT rules on your nodes!
When you're sending traffic out of the cluster kingdom to foreign lands (read: external destinations), ip-masq-agent steps in like a digital Gandalf and manages IP masquerading for you. It's smart enough to know that some IP ranges—like our good old private IP neighborhoods 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, and the local alleyway 169.254.0.0/16—don't need masquerading, thanks to the wisdom of RFC 1918.
How to Wave Your Magic Wand (Deploy)
First up, mark your loyal nodes to prepare them for the ip-masq-agent's enchantment:
After you do this, a peek into the iptables book will show you a streamlined list of protected ranges.
Windows Wizards Unite!
Linux wizards aren't the only ones with tricks up their sleeves. On Windows nodes, you can pull off similar feats using CNI configuration. Just add any IP ranges that are to be excused from SNAT into the ExceptionList for a flawless masquerade dodge. Check out this neat enchantment:
And there you have it, modern warlocks and witches! With ip-masq-agent at your side, you can navigate the complicated web of Kubernetes networking with the grace and ease of a dragon in flight. Happy masquerading!
