squat / kilo

Kilo is a multi-cloud network overlay built on WireGuard and designed for Kubernetes (k8s + wg = kg)

https://kilo.squat.ai

Apache License 2.0

2.01k stars 120 forks source link

Allow disabling private IP #15

Open SerialVelocity opened 5 years ago

SerialVelocity commented 5 years ago

Hi squat!

Is there a way to completely disable the private IP? I have hosts that do not have a private interface. Currently I'm forcing the private IP to a random IP that doesn't exist but it still adds it to the allowed ips list.

squat commented 3 years ago

This is landing today thanks to @leonnicolas 🚀 🚀

SerialVelocity commented 3 years ago

@squat @leonnicolas Could you give an example of how to disable private IPs? Do I need to set kilo.squat.ai/force-internal-ip to an empty string? (my hosts have private IPs that cannot be used or all networking breaks)

leonnicolas commented 3 years ago

104 allows nodes that have no private IPs. Prior to the PR, the internal IP was set to the public IP, when no private IPs were found. Now with #104 the internal-ip annotation is set to "" by Kilo and these nodes are being treated as if they were in a different location. Meaning, communication to other nodes happens over the WireGuard interface even if they are in the same location (kilo.squat.ai/location="..." is equal) e.g. the default location. So I guess if your nodes have private IPs, but you don't want to use them, this PR doesn't really help you. You can't disable using private IPs with a flag.

squat commented 3 years ago

Maybe we need to enable setting the annotation kilo.squat.ai/force-internal-ip="" to force disabling privateIPs

SerialVelocity commented 3 years ago

Ok, worth reopening this issue then @squat as the PR wasn't for this? It would be nice if there was also a flag to disable it so an annotation isn't necessary if there are no private IPs in the cluster.

squat commented 3 years ago

Reopening :) #104 allowed adding nodes to the mesh that don't have private IPs, but doesn't provide a programmatic way to disable private IPs on nodes that have them but shouldn't use them.

Acceptance criteria:

setting kilo.squat.ai/force-internal-ip="" on a node disables private networking for the node
using the --private-networking=false flag disables private networking on a node

leonnicolas commented 3 years ago

using the --private-networking=false flag disables private networking on a node

This might not make sense because Kilo is normally run as a DaemonSet, so using this flag will cause all nodes to run with disabled private networking.

Whereas the annotation is more targeted and it could also achieve the above functionality with this one-liner:

for node in $(kubectl get nodes -o name); do kubectl annotate $node kilo.squat.ai/force-internal-ip="-"; done

leonnicolas commented 3 years ago

setting kilo.squat.ai/force-internal-ip="" on a node disables private networking for the node

This was implemented in #127.