github.com/cilium/cilium@v1.16.2/Documentation/network/concepts/masquerading.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _concepts_masquerading:
     8  
     9  Masquerading
    10  ============
    11  
    12  IPv4 addresses used for pods are typically allocated from RFC1918 private
    13  address blocks and thus, not publicly routable. Cilium will automatically
    14  masquerade the source IP address of all traffic that is leaving the cluster to
    15  the IPv4 address of the node as the node's IP address is already routable on
    16  the network.
    17  
    18  .. image:: masquerade.png
    19      :align: center
    20  
    21  This behavior can be disabled with the option ``enable-ipv4-masquerade: false``
    22  for IPv4 and ``enable-ipv6-masquerade: false`` for IPv6 traffic leaving the host.
    23  
    24  Configuration
    25  -------------
    26  
    27  Setting the routable CIDR
    28    The default behavior is to exclude any destination within the IP allocation
    29    CIDR of the local node. If the pod IPs are routable across a wider network,
    30    that network can be specified with the option: ``ipv4-native-routing-cidr:
    31    10.0.0.0/8`` (or ``ipv6-native-routing-cidr: fd00::/100`` for IPv6 addresses)
    32    in which case all destinations within that CIDR will **not** be masqueraded.
    33  
    34  Setting the masquerading interface
    35    See :ref:`masq_modes` for configuring the masquerading interfaces.
    36  
    37  .. _masq_modes:
    38  
    39  Implementation Modes
    40  --------------------
    41  
    42  eBPF-based
    43  **********
    44  
    45  .. note::
    46  
    47     **IPv6** BPF masquerading is a beta feature. Please provide feedback and
    48     file a GitHub issue if you experience any problems. IPv4 BPF masquerading is
    49     production-ready.
    50  
    51  The eBPF-based implementation is the most efficient
    52  implementation. It requires Linux kernel 4.19 and can be enabled with
    53  the ``bpf.masquerade=true`` helm option.
    54  
    55  The current implementation depends on :ref:`the BPF NodePort feature <kubeproxy-free>`.
    56  The dependency will be removed in the future (:gh-issue:`13732`).
    57  
    58  Masquerading can take place only on those devices which run the eBPF masquerading
    59  program. This means that a packet sent from a pod to an outside address will be
    60  masqueraded (to an output device IPv4 address), if the output device runs the program.
    61  If not specified, the program will be automatically attached to the devices selected by
    62  :ref:`the BPF NodePort device detection mechanism <Nodeport Devices>`.
    63  To manually change this, use the ``devices`` helm option. Use ``cilium status``
    64  to determine which devices the program is running on:
    65  
    66  .. code-block:: shell-session
    67  
    68      $ kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep Masquerading
    69      Masquerading:   BPF (ip-masq-agent)   [eth0, eth1]  10.0.0.0/16
    70  
    71  From the output above, the program is running on the ``eth0`` and ``eth1`` devices.
    72  
    73  
    74  The eBPF-based masquerading can masquerade packets of the following L4 protocols:
    75  
    76  - TCP
    77  - UDP
    78  - ICMP
    79  
    80  .. note::
    81  
    82      For ICMP, support is limited to Echo request, Echo reply, and the
    83      error message "Destination unreachable, fragmentation required,
    84      and DF flag set".
    85  
    86  By default, all packets from a pod destined to an IP address outside of the
    87  ``ipv4-native-routing-cidr`` range are masqueraded, except for packets destined
    88  to other cluster nodes (as with ``ipv6-native-routing-cidr`` for IPv6). The
    89  preceding output shows the exclusion CIDR of ``cilium status``
    90  (``10.0.0.0/16``).
    91  
    92  .. note::
    93  
    94      When eBPF-masquerading is enabled, traffic from pods to the External IP of
    95      cluster nodes will also not be masqueraded. The eBPF implementation differs
    96      from the iptables-based masquerading on that aspect. This limitation is
    97      tracked at :gh-issue:`17177`.
    98  
    99  To allow more fine-grained control, Cilium implements `ip-masq-agent
   100  <https://github.com/kubernetes-sigs/ip-masq-agent>`_ in eBPF which can be
   101  enabled with the ``ipMasqAgent.enabled=true`` helm option.
   102  
   103  The eBPF-based ip-masq-agent supports the ``nonMasqueradeCIDRs``, ``masqLinkLocal``, and
   104  ``masqLinkLocalIPv6`` options set in a configuration file. A packet sent from a pod to
   105  a destination which belongs to any CIDR from the ``nonMasqueradeCIDRs`` is not
   106  going to be masqueraded. If the configuration file is empty, the agent will provision
   107  the following non-masquerade CIDRs:
   108  
   109  - ``10.0.0.0/8``
   110  - ``172.16.0.0/12``
   111  - ``192.168.0.0/16``
   112  - ``100.64.0.0/10``
   113  - ``192.0.0.0/24``
   114  - ``192.0.2.0/24``
   115  - ``192.88.99.0/24``
   116  - ``198.18.0.0/15``
   117  - ``198.51.100.0/24``
   118  - ``203.0.113.0/24``
   119  - ``240.0.0.0/4``
   120  
   121  In addition, if the ``masqLinkLocal`` is not set or set to false, then
   122  ``169.254.0.0/16`` is appended to the non-masquerade CIDRs list. For IPv6, if
   123  ``masqLinkLocalIPv6`` is not set or set to false, ``fe80::/10`` is appended.
   124  
   125  
   126  The agent uses Fsnotify to track updates to the configuration file, so the original
   127  ``resyncInterval`` option is unnecessary.
   128  
   129  The example below shows how to configure the agent via :term:`ConfigMap` and to verify it:
   130  
   131  .. literalinclude:: ../../../examples/kubernetes-ip-masq-agent/rfc1918.yaml
   132  
   133  .. parsed-literal::
   134  
   135      $ kubectl create -n kube-system -f \ |SCM_WEB|\/examples/kubernetes-ip-masq-agent/rfc1918.yaml
   136  
   137      $ # Wait ~60s until the ConfigMap is propagated into the configuration file
   138  
   139      $ kubectl -n kube-system exec ds/cilium -- cilium-dbg bpf ipmasq list
   140      IP PREFIX/ADDRESS
   141      10.0.0.0/8
   142      172.16.0.0/12
   143      192.168.0.0/16
   144  
   145  Alternatively, you can pass ``--set ipMasqAgent.config.nonMasqueradeCIDRs='{10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}'``
   146  and ``--set ipMasqAgent.config.masqLinkLocal=false`` (or with the corresponding
   147  option, for IPv6) when installing Cilium via Helm to
   148  configure the ``ip-masq-agent`` as above.
   149  
   150  iptables-based
   151  **************
   152  
   153  This is the legacy implementation that will work on all kernel versions.
   154  
   155  The default behavior will masquerade all traffic leaving on a non-Cilium
   156  network device. This typically leads to the correct behavior. In order to
   157  limit the network interface on which masquerading should be performed, the
   158  option ``egress-masquerade-interfaces: eth0`` can be used.
   159  
   160  .. note::
   161  
   162     It is possible to specify an interface prefix as well, by specifying
   163     ``eth+``, all interfaces matching the prefix ``eth`` will be used for
   164     masquerading.
   165  
   166  For the advanced case where the routing layer would select different source addresses
   167  depending on the destination CIDR, the option ``enable-masquerade-to-route-source: "true"``
   168  can be used in order to masquerade to the source addresses rather than to the
   169  primary interface address. The latter is then only considered as a catch-all
   170  fallback, and for the default routes. For these advanced cases the user needs
   171  to ensure that there are no overlapping destination CIDRs as routes on the
   172  relevant masquerading interfaces.