diff --git a/api/resource/definitions/kubespan/kubespan.proto b/api/resource/definitions/kubespan/kubespan.proto
index 2bbc3d8b40..7aa26f7fa7 100755
--- a/api/resource/definitions/kubespan/kubespan.proto
+++ b/api/resource/definitions/kubespan/kubespan.proto
@@ -16,6 +16,8 @@ message ConfigSpec {
bool force_routing = 4;
bool advertise_kubernetes_networks = 5;
uint32 mtu = 6;
+ repeated string filter_endpoints = 7;
+ repeated string filter_native_route = 8;
}
// EndpointSpec describes Endpoint state.
diff --git a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
index c67ed24605..575be7a2b7 100644
--- a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
+++ b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
@@ -14,6 +14,7 @@ import (
"github.com/cosi-project/runtime/pkg/safe"
"github.com/cosi-project/runtime/pkg/state"
"github.com/siderolabs/go-pointer"
+ "github.com/siderolabs/net"
"go.uber.org/zap"
"github.com/siderolabs/talos/pkg/machinery/constants"
@@ -216,9 +217,18 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
spec.KubeSpan.AdditionalAddresses = nil
}
- endpoints := make([]netip.AddrPort, 0, len(nodeIPs))
+ endpointsIP := nodeIPs
- for _, ip := range nodeIPs {
+ if len(kubespanConfig.TypedSpec().FilterEndpoints) > 0 {
+ endpointsIP, err = net.FilterIPs(nodeIPs, kubespanConfig.TypedSpec().FilterEndpoints)
+ if err != nil {
+ return fmt.Errorf("error filtering KubeSpanEndpoints IPs: %w", err)
+ }
+ }
+
+ endpoints := make([]netip.AddrPort, 0, len(endpointsIP))
+
+ for _, ip := range endpointsIP {
if ip == spec.KubeSpan.Address {
// skip kubespan local address
continue
diff --git a/internal/app/machined/pkg/controllers/kubespan/config.go b/internal/app/machined/pkg/controllers/kubespan/config.go
index 4a07da75fe..d3c1b9502e 100644
--- a/internal/app/machined/pkg/controllers/kubespan/config.go
+++ b/internal/app/machined/pkg/controllers/kubespan/config.go
@@ -76,6 +76,8 @@ func (ctrl *ConfigController) Run(ctx context.Context, r controller.Runtime, log
res.(*kubespan.Config).TypedSpec().ForceRouting = c.Machine().Network().KubeSpan().ForceRouting()
res.(*kubespan.Config).TypedSpec().AdvertiseKubernetesNetworks = c.Machine().Network().KubeSpan().AdvertiseKubernetesNetworks()
res.(*kubespan.Config).TypedSpec().MTU = c.Machine().Network().KubeSpan().MTU()
+ res.(*kubespan.Config).TypedSpec().FilterEndpoints = c.Machine().Network().KubeSpan().Filters().Endpoints()
+ res.(*kubespan.Config).TypedSpec().FilterNativeRoute = c.Machine().Network().KubeSpan().Filters().NativeRoute()
return nil
}); err != nil {
diff --git a/internal/app/machined/pkg/controllers/kubespan/manager.go b/internal/app/machined/pkg/controllers/kubespan/manager.go
index d678a12ef8..02c05f6071 100644
--- a/internal/app/machined/pkg/controllers/kubespan/manager.go
+++ b/internal/app/machined/pkg/controllers/kubespan/manager.go
@@ -17,6 +17,7 @@ import (
"github.com/cosi-project/runtime/pkg/state"
"github.com/siderolabs/gen/value"
"github.com/siderolabs/go-pointer"
+ "github.com/siderolabs/net"
"go.uber.org/zap"
"go4.org/netipx"
"golang.zx2c4.com/wireguard/wgctrl"
@@ -358,6 +359,13 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
// or if the peer connection state is up.
if cfgSpec.ForceRouting || peerStatus.State == kubespan.PeerStateUp {
for _, prefix := range peerSpec.AllowedIPs {
+ // For optimization purposes.
+ if cfgSpec.FilterNativeRoute != nil && prefix.IsSingleIP() {
+ if exist, err := net.FilterIPs([]netip.Addr{prefix.Addr()}, cfgSpec.FilterNativeRoute); err == nil && exist != nil {
+ continue
+ }
+ }
+
allowedIPsBuilder.AddPrefix(prefix)
}
}
diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go
index 57428b2e61..c9417467b5 100644
--- a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go
+++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go
@@ -31,12 +31,14 @@ type ConfigSpec struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
- Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
- ClusterId string `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
- SharedSecret string `protobuf:"bytes,3,opt,name=shared_secret,json=sharedSecret,proto3" json:"shared_secret,omitempty"`
- ForceRouting bool `protobuf:"varint,4,opt,name=force_routing,json=forceRouting,proto3" json:"force_routing,omitempty"`
- AdvertiseKubernetesNetworks bool `protobuf:"varint,5,opt,name=advertise_kubernetes_networks,json=advertiseKubernetesNetworks,proto3" json:"advertise_kubernetes_networks,omitempty"`
- Mtu uint32 `protobuf:"varint,6,opt,name=mtu,proto3" json:"mtu,omitempty"`
+ Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
+ ClusterId string `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
+ SharedSecret string `protobuf:"bytes,3,opt,name=shared_secret,json=sharedSecret,proto3" json:"shared_secret,omitempty"`
+ ForceRouting bool `protobuf:"varint,4,opt,name=force_routing,json=forceRouting,proto3" json:"force_routing,omitempty"`
+ AdvertiseKubernetesNetworks bool `protobuf:"varint,5,opt,name=advertise_kubernetes_networks,json=advertiseKubernetesNetworks,proto3" json:"advertise_kubernetes_networks,omitempty"`
+ Mtu uint32 `protobuf:"varint,6,opt,name=mtu,proto3" json:"mtu,omitempty"`
+ FilterEndpoints []string `protobuf:"bytes,7,rep,name=filter_endpoints,json=filterEndpoints,proto3" json:"filter_endpoints,omitempty"`
+ FilterNativeRoute []string `protobuf:"bytes,8,rep,name=filter_native_route,json=filterNativeRoute,proto3" json:"filter_native_route,omitempty"`
}
func (x *ConfigSpec) Reset() {
@@ -113,6 +115,20 @@ func (x *ConfigSpec) GetMtu() uint32 {
return 0
}
+func (x *ConfigSpec) GetFilterEndpoints() []string {
+ if x != nil {
+ return x.FilterEndpoints
+ }
+ return nil
+}
+
+func (x *ConfigSpec) GetFilterNativeRoute() []string {
+ if x != nil {
+ return x.FilterNativeRoute
+ }
+ return nil
+}
+
// EndpointSpec describes Endpoint state.
type EndpointSpec struct {
state protoimpl.MessageState
@@ -434,7 +450,7 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{
0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x26, 0x72, 0x65, 0x73, 0x6f, 0x75,
0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74,
- 0x6f, 0x22, 0xe5, 0x01, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63,
+ 0x6f, 0x22, 0xc0, 0x02, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63,
0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c,
0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
@@ -448,69 +464,75 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{
0x6f, 0x72, 0x6b, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1b, 0x61, 0x64, 0x76, 0x65,
0x72, 0x74, 0x69, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x4e,
0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x74, 0x75, 0x18, 0x06,
- 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x6d, 0x74, 0x75, 0x22, 0x60, 0x0a, 0x0c, 0x45, 0x6e, 0x64,
- 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x66, 0x66,
- 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
- 0x0b, 0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x49, 0x64, 0x12, 0x2d, 0x0a, 0x08,
- 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11,
- 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72,
- 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22, 0xaa, 0x01, 0x0a, 0x0c,
- 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x07,
- 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e,
- 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66,
- 0x69, 0x78, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x2b, 0x0a, 0x06, 0x73,
- 0x75, 0x62, 0x6e, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f,
- 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78,
- 0x52, 0x06, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76,
- 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70,
- 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62,
- 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70,
- 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0xb4, 0x01, 0x0a, 0x0c, 0x50, 0x65, 0x65,
- 0x72, 0x53, 0x70, 0x65, 0x63, 0x53, 0x70, 0x65, 0x63, 0x12, 0x27, 0x0a, 0x07, 0x61, 0x64, 0x64,
- 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x63, 0x6f, 0x6d,
- 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65,
- 0x73, 0x73, 0x12, 0x34, 0x0a, 0x0b, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x69, 0x70,
- 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
- 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x0a, 0x61, 0x6c,
- 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x65, 0x6e, 0x64, 0x70,
- 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f,
- 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x09,
- 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62,
- 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x22,
- 0xc7, 0x03, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70,
- 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x01,
- 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65,
- 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e,
- 0x74, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
- 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x49, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65,
- 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x33, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
- 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
- 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x4b, 0x75, 0x62, 0x65, 0x73, 0x70,
- 0x61, 0x6e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61,
- 0x74, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x5f, 0x62, 0x79,
- 0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x72, 0x65, 0x63, 0x65, 0x69,
- 0x76, 0x65, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73,
- 0x6d, 0x69, 0x74, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52,
- 0x0d, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x4a,
- 0x0a, 0x13, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65,
- 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
- 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
- 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x48, 0x61, 0x6e,
- 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x3f, 0x0a, 0x12, 0x6c, 0x61,
- 0x73, 0x74, 0x5f, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
- 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
- 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x55,
- 0x73, 0x65, 0x64, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x4c, 0x0a, 0x14, 0x6c,
- 0x61, 0x73, 0x74, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x63, 0x68, 0x61,
- 0x6e, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
- 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65,
- 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x6e, 0x64, 0x70, 0x6f,
- 0x69, 0x6e, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x42, 0x4d, 0x5a, 0x4b, 0x67, 0x69, 0x74,
- 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61,
- 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63,
- 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
- 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
- 0x6b, 0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x6d, 0x74, 0x75, 0x12, 0x29, 0x0a, 0x10, 0x66, 0x69, 0x6c,
+ 0x74, 0x65, 0x72, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x07, 0x20,
+ 0x03, 0x28, 0x09, 0x52, 0x0f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f,
+ 0x69, 0x6e, 0x74, 0x73, 0x12, 0x2e, 0x0a, 0x13, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x5f, 0x6e,
+ 0x61, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x08, 0x20, 0x03, 0x28,
+ 0x09, 0x52, 0x11, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x52,
+ 0x6f, 0x75, 0x74, 0x65, 0x22, 0x60, 0x0a, 0x0c, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+ 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74,
+ 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x66, 0x66, 0x69,
+ 0x6c, 0x69, 0x61, 0x74, 0x65, 0x49, 0x64, 0x12, 0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f,
+ 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
+ 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e,
+ 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22, 0xaa, 0x01, 0x0a, 0x0c, 0x49, 0x64, 0x65, 0x6e, 0x74,
+ 0x69, 0x74, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65,
+ 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,
+ 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x07, 0x61,
+ 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x2b, 0x0a, 0x06, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74,
+ 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
+ 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x06, 0x73, 0x75, 0x62,
+ 0x6e, 0x65, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b,
+ 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74,
+ 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b,
+ 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
+ 0x4b, 0x65, 0x79, 0x22, 0xb4, 0x01, 0x0a, 0x0c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x70, 0x65, 0x63,
+ 0x53, 0x70, 0x65, 0x63, 0x12, 0x27, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18,
+ 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e,
+ 0x65, 0x74, 0x49, 0x50, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x34, 0x0a,
+ 0x0b, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x69, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03,
+ 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49,
+ 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64,
+ 0x49, 0x70, 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73,
+ 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
+ 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f,
+ 0x69, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20,
+ 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x22, 0xc7, 0x03, 0x0a, 0x0e, 0x50,
+ 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a,
+ 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
+ 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f,
+ 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05,
+ 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62,
+ 0x65, 0x6c, 0x12, 0x49, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
+ 0x0e, 0x32, 0x33, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
+ 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65,
+ 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x4b, 0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x50, 0x65, 0x65,
+ 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x12, 0x23, 0x0a,
+ 0x0d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x04,
+ 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x42, 0x79, 0x74,
+ 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x5f, 0x62,
+ 0x79, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x74, 0x72, 0x61, 0x6e,
+ 0x73, 0x6d, 0x69, 0x74, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x4a, 0x0a, 0x13, 0x6c, 0x61, 0x73,
+ 0x74, 0x5f, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65,
+ 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
+ 0x6d, 0x70, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b,
+ 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x3f, 0x0a, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x73,
+ 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28,
+ 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50,
+ 0x50, 0x6f, 0x72, 0x74, 0x52, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x55, 0x73, 0x65, 0x64, 0x45, 0x6e,
+ 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x4c, 0x0a, 0x14, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x65,
+ 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x08,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+ 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
+ 0x52, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x43, 0x68,
+ 0x61, 0x6e, 0x67, 0x65, 0x42, 0x4d, 0x5a, 0x4b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+ 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61,
+ 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72,
+ 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64,
+ 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x73,
+ 0x70, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go
index 40f644cbde..8363d9ecac 100644
--- a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go
+++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go
@@ -54,6 +54,24 @@ func (m *ConfigSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
i -= len(m.unknownFields)
copy(dAtA[i:], m.unknownFields)
}
+ if len(m.FilterNativeRoute) > 0 {
+ for iNdEx := len(m.FilterNativeRoute) - 1; iNdEx >= 0; iNdEx-- {
+ i -= len(m.FilterNativeRoute[iNdEx])
+ copy(dAtA[i:], m.FilterNativeRoute[iNdEx])
+ i = encodeVarint(dAtA, i, uint64(len(m.FilterNativeRoute[iNdEx])))
+ i--
+ dAtA[i] = 0x42
+ }
+ }
+ if len(m.FilterEndpoints) > 0 {
+ for iNdEx := len(m.FilterEndpoints) - 1; iNdEx >= 0; iNdEx-- {
+ i -= len(m.FilterEndpoints[iNdEx])
+ copy(dAtA[i:], m.FilterEndpoints[iNdEx])
+ i = encodeVarint(dAtA, i, uint64(len(m.FilterEndpoints[iNdEx])))
+ i--
+ dAtA[i] = 0x3a
+ }
+ }
if m.Mtu != 0 {
i = encodeVarint(dAtA, i, uint64(m.Mtu))
i--
@@ -549,6 +567,18 @@ func (m *ConfigSpec) SizeVT() (n int) {
if m.Mtu != 0 {
n += 1 + sov(uint64(m.Mtu))
}
+ if len(m.FilterEndpoints) > 0 {
+ for _, s := range m.FilterEndpoints {
+ l = len(s)
+ n += 1 + l + sov(uint64(l))
+ }
+ }
+ if len(m.FilterNativeRoute) > 0 {
+ for _, s := range m.FilterNativeRoute {
+ l = len(s)
+ n += 1 + l + sov(uint64(l))
+ }
+ }
if m.unknownFields != nil {
n += len(m.unknownFields)
}
@@ -914,6 +944,70 @@ func (m *ConfigSpec) UnmarshalVT(dAtA []byte) error {
break
}
}
+ case 7:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field FilterEndpoints", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.FilterEndpoints = append(m.FilterEndpoints, string(dAtA[iNdEx:postIndex]))
+ iNdEx = postIndex
+ case 8:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field FilterNativeRoute", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.FilterNativeRoute = append(m.FilterNativeRoute, string(dAtA[iNdEx:postIndex]))
+ iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skip(dAtA[iNdEx:])
diff --git a/pkg/machinery/config/provider.go b/pkg/machinery/config/provider.go
index a7ddaa42ca..d512d2b083 100644
--- a/pkg/machinery/config/provider.go
+++ b/pkg/machinery/config/provider.go
@@ -292,6 +292,13 @@ type KubeSpan interface {
ForceRouting() bool
AdvertiseKubernetesNetworks() bool
MTU() uint32
+ Filters() KubeSpanFilters
+}
+
+// KubeSpanFilters configures KubeSpan filters.
+type KubeSpanFilters interface {
+ Endpoints() []string
+ NativeRoute() []string
}
// NetworkDeviceSelector defines the set of fields that can be used to pick network a device.
diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
index a71e4a32f2..927032f252 100644
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
@@ -1024,6 +1024,33 @@ func (k *NetworkKubeSpan) MTU() uint32 {
return pointer.SafeDeref(k.KubeSpanMTU)
}
+// Filters implements the KubeSpan interface.
+func (k *NetworkKubeSpan) Filters() config.KubeSpanFilters {
+ if k.KubeSpanFilters == nil {
+ return &KubeSpanFilters{}
+ }
+
+ return k.KubeSpanFilters
+}
+
+// Endpoints implements the config.KubeSpanFilters interface.
+func (k *KubeSpanFilters) Endpoints() []string {
+ if k.KubeSpanFiltersEndpoints == nil {
+ return []string{"0.0.0.0/0", "::/0"}
+ }
+
+ return k.KubeSpanFiltersEndpoints
+}
+
+// NativeRoute implements the config.KubeSpanFilters interface.
+func (k *KubeSpanFilters) NativeRoute() []string {
+ if k.KubeSpanFiltersNativeRoute == nil {
+ return nil
+ }
+
+ return k.KubeSpanFiltersNativeRoute
+}
+
// Disabled implements the config.Provider interface.
func (t *TimeConfig) Disabled() bool {
return pointer.SafeDeref(t.TimeDisabled)
diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
index d4de1f52fb..b854a68eaf 100644
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
@@ -2505,6 +2505,26 @@ type NetworkKubeSpan struct {
// KubeSpan link MTU size.
// Default value is 1420.
KubeSpanMTU *uint32 `yaml:"mtu,omitempty"`
+ // description: |
+ // KubeSpan filters.
+ KubeSpanFilters *KubeSpanFilters `yaml:"filters,omitempty"`
+}
+
+// KubeSpanFilters struct describes KubeSpan filters.
+type KubeSpanFilters struct {
+ // description: |
+ // CIDR list of node IPs, which will use for p2p connections.
+ // Default value: [0.0.0.0/0, ::/0]
+ // examples:
+ // - name: Uncomment this to use only IPv4 stack.
+ // value: '[]string{"0.0.0.0/0"}'
+ KubeSpanFiltersEndpoints []string `yaml:"endpoints,omitempty"`
+ // description: |
+ // Skip sending traffic via KubeSpan if the destination in that CIDR list.
+ // examples:
+ // - name: Do not use KubeSpan to route 10.0.0.0/8 subnet.
+ // value: '[]string{"10.0.0.0/8"}'
+ KubeSpanFiltersNativeRoute []string `yaml:"nativeRoute,omitempty"`
}
// NetworkDeviceSelector struct describes network device selector.
diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go
index 04a92f644d..3a4ca41578 100644
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go
@@ -74,6 +74,7 @@ var (
VolumeMountConfigDoc encoder.Doc
ClusterInlineManifestDoc encoder.Doc
NetworkKubeSpanDoc encoder.Doc
+ KubeSpanFiltersDoc encoder.Doc
NetworkDeviceSelectorDoc encoder.Doc
ClusterDiscoveryConfigDoc encoder.Doc
DiscoveryRegistriesConfigDoc encoder.Doc
@@ -2468,7 +2469,7 @@ func init() {
FieldName: "kubespan",
},
}
- NetworkKubeSpanDoc.Fields = make([]encoder.Doc, 4)
+ NetworkKubeSpanDoc.Fields = make([]encoder.Doc, 5)
NetworkKubeSpanDoc.Fields[0].Name = "enabled"
NetworkKubeSpanDoc.Fields[0].Type = "bool"
NetworkKubeSpanDoc.Fields[0].Note = ""
@@ -2489,6 +2490,36 @@ func init() {
NetworkKubeSpanDoc.Fields[3].Note = ""
NetworkKubeSpanDoc.Fields[3].Description = "KubeSpan link MTU size.\nDefault value is 1420."
NetworkKubeSpanDoc.Fields[3].Comments[encoder.LineComment] = "KubeSpan link MTU size."
+ NetworkKubeSpanDoc.Fields[4].Name = "filters"
+ NetworkKubeSpanDoc.Fields[4].Type = "KubeSpanFilters"
+ NetworkKubeSpanDoc.Fields[4].Note = ""
+ NetworkKubeSpanDoc.Fields[4].Description = "KubeSpan filters."
+ NetworkKubeSpanDoc.Fields[4].Comments[encoder.LineComment] = "KubeSpan filters."
+
+ KubeSpanFiltersDoc.Type = "KubeSpanFilters"
+ KubeSpanFiltersDoc.Comments[encoder.LineComment] = "KubeSpanFilters struct describes KubeSpan filters."
+ KubeSpanFiltersDoc.Description = "KubeSpanFilters struct describes KubeSpan filters."
+ KubeSpanFiltersDoc.AppearsIn = []encoder.Appearance{
+ {
+ TypeName: "NetworkKubeSpan",
+ FieldName: "filters",
+ },
+ }
+ KubeSpanFiltersDoc.Fields = make([]encoder.Doc, 2)
+ KubeSpanFiltersDoc.Fields[0].Name = "endpoints"
+ KubeSpanFiltersDoc.Fields[0].Type = "[]string"
+ KubeSpanFiltersDoc.Fields[0].Note = ""
+ KubeSpanFiltersDoc.Fields[0].Description = "CIDR list of node IPs, which will use for p2p connections.\nDefault value: [0.0.0.0/0, ::/0]"
+ KubeSpanFiltersDoc.Fields[0].Comments[encoder.LineComment] = "CIDR list of node IPs, which will use for p2p connections."
+
+ KubeSpanFiltersDoc.Fields[0].AddExample("Uncomment this to use only IPv4 stack.", []string{"0.0.0.0/0"})
+ KubeSpanFiltersDoc.Fields[1].Name = "nativeRoute"
+ KubeSpanFiltersDoc.Fields[1].Type = "[]string"
+ KubeSpanFiltersDoc.Fields[1].Note = ""
+ KubeSpanFiltersDoc.Fields[1].Description = "Skip sending traffic via KubeSpan if the destination in that CIDR list."
+ KubeSpanFiltersDoc.Fields[1].Comments[encoder.LineComment] = "Skip sending traffic via KubeSpan if the destination in that CIDR list."
+
+ KubeSpanFiltersDoc.Fields[1].AddExample("Do not use KubeSpan to route 10.0.0.0/8 subnet.", []string{"10.0.0.0/8"})
NetworkDeviceSelectorDoc.Type = "NetworkDeviceSelector"
NetworkDeviceSelectorDoc.Comments[encoder.LineComment] = "NetworkDeviceSelector struct describes network device selector."
@@ -2952,6 +2983,10 @@ func (_ NetworkKubeSpan) Doc() *encoder.Doc {
return &NetworkKubeSpanDoc
}
+func (_ KubeSpanFilters) Doc() *encoder.Doc {
+ return &KubeSpanFiltersDoc
+}
+
func (_ NetworkDeviceSelector) Doc() *encoder.Doc {
return &NetworkDeviceSelectorDoc
}
@@ -3058,6 +3093,7 @@ func GetConfigurationDoc() *encoder.FileDoc {
&VolumeMountConfigDoc,
&ClusterInlineManifestDoc,
&NetworkKubeSpanDoc,
+ &KubeSpanFiltersDoc,
&NetworkDeviceSelectorDoc,
&ClusterDiscoveryConfigDoc,
&DiscoveryRegistriesConfigDoc,
diff --git a/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go b/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go
index 0827b33c8c..92845f5764 100644
--- a/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go
@@ -1130,6 +1130,32 @@ func (in *KernelModuleConfig) DeepCopy() *KernelModuleConfig {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubeSpanFilters) DeepCopyInto(out *KubeSpanFilters) {
+ *out = *in
+ if in.KubeSpanFiltersEndpoints != nil {
+ in, out := &in.KubeSpanFiltersEndpoints, &out.KubeSpanFiltersEndpoints
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.KubeSpanFiltersNativeRoute != nil {
+ in, out := &in.KubeSpanFiltersNativeRoute, &out.KubeSpanFiltersNativeRoute
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeSpanFilters.
+func (in *KubeSpanFilters) DeepCopy() *KubeSpanFilters {
+ if in == nil {
+ return nil
+ }
+ out := new(KubeSpanFilters)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubeletConfig) DeepCopyInto(out *KubeletConfig) {
*out = *in
@@ -1669,6 +1695,11 @@ func (in *NetworkKubeSpan) DeepCopyInto(out *NetworkKubeSpan) {
*out = new(uint32)
**out = **in
}
+ if in.KubeSpanFilters != nil {
+ in, out := &in.KubeSpanFilters, &out.KubeSpanFilters
+ *out = new(KubeSpanFilters)
+ (*in).DeepCopyInto(*out)
+ }
return
}
diff --git a/pkg/machinery/resources/kubespan/config.go b/pkg/machinery/resources/kubespan/config.go
index 215543738c..2a86d4896b 100644
--- a/pkg/machinery/resources/kubespan/config.go
+++ b/pkg/machinery/resources/kubespan/config.go
@@ -39,6 +39,10 @@ type ConfigSpec struct {
AdvertiseKubernetesNetworks bool `yaml:"advertiseKubernetesNetworks" protobuf:"5"`
// Force kubeSpan MTU size.
MTU uint32 `yaml:"mtu,omitempty" protobuf:"6"`
+ // Allowed list of node endpoints.
+ FilterEndpoints []string `yaml:"filterEndpoints,omitempty" protobuf:"7"`
+ // FilterNativeRoute skip destination CIDR list.
+ FilterNativeRoute []string `yaml:"filterNativeRoute,omitempty" protobuf:"8"`
}
// NewConfig initializes a Config resource.
diff --git a/pkg/machinery/resources/kubespan/deep_copy.generated.go b/pkg/machinery/resources/kubespan/deep_copy.generated.go
index 8beec586de..d9d9e11a64 100644
--- a/pkg/machinery/resources/kubespan/deep_copy.generated.go
+++ b/pkg/machinery/resources/kubespan/deep_copy.generated.go
@@ -13,6 +13,14 @@ import (
// DeepCopy generates a deep copy of ConfigSpec.
func (o ConfigSpec) DeepCopy() ConfigSpec {
var cp ConfigSpec = o
+ if o.FilterEndpoints != nil {
+ cp.FilterEndpoints = make([]string, len(o.FilterEndpoints))
+ copy(cp.FilterEndpoints, o.FilterEndpoints)
+ }
+ if o.FilterNativeRoute != nil {
+ cp.FilterNativeRoute = make([]string, len(o.FilterNativeRoute))
+ copy(cp.FilterNativeRoute, o.FilterNativeRoute)
+ }
return cp
}
diff --git a/website/content/v1.3/reference/api.md b/website/content/v1.3/reference/api.md
index 6887f1097f..6a144d18e3 100644
--- a/website/content/v1.3/reference/api.md
+++ b/website/content/v1.3/reference/api.md
@@ -2176,6 +2176,8 @@ ConfigSpec describes KubeSpan configuration..
| force_routing | [bool](#bool) | | |
| advertise_kubernetes_networks | [bool](#bool) | | |
| mtu | [uint32](#uint32) | | |
+| filter_endpoints | [string](#string) | repeated | |
+| filter_native_route | [string](#string) | repeated | |
diff --git a/website/content/v1.3/reference/configuration.md b/website/content/v1.3/reference/configuration.md
index 76bffaa446..9c341f3acd 100644
--- a/website/content/v1.3/reference/configuration.md
+++ b/website/content/v1.3/reference/configuration.md
@@ -2724,6 +2724,31 @@ enabled: true # Enable the KubeSpan feature.
|`advertiseKubernetesNetworks` |bool |Control whether Kubernetes pod CIDRs are announced over KubeSpan from the node.
If disabled, CNI handles encapsulating pod-to-pod traffic into some node-to-node tunnel,
and KubeSpan handles the node-to-node traffic.
If enabled, KubeSpan will take over pod-to-pod traffic and send it over KubeSpan directly.
When enabled, KubeSpan should have a way to detect complete pod CIDRs of the node which
is not always the case with CNIs not relying on Kubernetes for IPAM.Skip sending traffic via KubeSpan if the peer connection state is not up.
This provides configurable choice between connectivity and security: either traffic is always
forced to go via KubeSpan (even if Wireguard peer connection is not up), or traffic can go directly
to the peer if Wireguard connection can't be established.KubeSpan link MTU size.
Default value is 1420.NetworkKubeSpan.filters
+
+
+
+
+| Field | Type | Description | Value(s) |
+|-------|------|-------------|----------|
+|`endpoints` |[]string |CIDR list of node IPs, which will use for p2p connections.
Default value: [0.0.0.0/0, ::/0]Show example(s)
{{< highlight yaml >}}
+endpoints:
+ - 0.0.0.0/0
+{{< /highlight >}}Show example(s)
{{< highlight yaml >}}
+nativeRoute:
+ - 10.0.0.0/8
+{{< /highlight >}}