New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
node is nat'd and doesn't know its IP address on hybrid cluster use wireguard-native is wrong #1889
Comments
Hey again! In your proposal, you are talking about server-client communication, where the client knows the endpoint of the server but the server only knows the public-key of the client. In this scenario, client can communicate with the server but the server can't communicate with client until the client contacts first, right? The problem with the previous approach with Kubernetes is that the architecture is not a server-client when it comes to pod-pod communication. We are creating a mesh of tunnels between the nodes. Imagine a cluster of 3 nodes (node1, node2 and node3), I see for example two problems: |
client can communicate with the server but the server can't communicate with client until the client contacts first, right?yes server-client and pod-pod No conflict. The pod-pod network is a tunnel created through server-client. Pod-pod can communicate only after server-client establishes a connection and creates a tunnel. |
Right, but the server needs to wait for the client to contact it. What if the client never contacts the server? |
WIREGUARD contacts the server when it starts up, if client never contacts the server , Represents this node is not ready |
Imagine we have 2 nodes. 1 node is the k8s control-plane and 1 node is the k8s agent and it is behind a NAT (let's call it node1). In this case, I can see your suggestion working. However, what happens if we add a new k8s agent node behing a NAT (let's call it node2)? We need to know the endpoint of node1 or node2 to create that tunnel between both nodes, right? |
I'm not sure if the wireguard master will synchronize all endpoint information to the other node |
Cluster Configuration:
server:
EXTERNAL-IP: xx.xx.xx.xx
INTERNAL-IP: 10.0.8.17
node:
node-x86
node-x86 is NAT'd and doesn't know its IP address.
EXTERNAL-IP: xx.xx.xx.yy
INTERNAL-IP: 192.168.36.22
node-arm
EXTERNAL-IP: xx.xx.xx.zz
INTERNAL-IP: 10.0.1.217
Expected Behavior
Current Behavior
Possible Solution
The master and node use the WIREGUARD negotiated endpoint consistently.
Steps to Reproduce (for bugs)
Context
Your Environment
k3s version v1.28.6+k3s2 (k3s-io/k3s@c9f49a3)
go version go1.20.13
My English is very poor, please refer to this issue for specific details. Thank you
The text was updated successfully, but these errors were encountered: