5696fe20b9
This commit removes unwanted NAT and forward rules from control plane nodes. They need to be enabled if and when SIP creates VMs on control plane nodes. Change-Id: I7a06df92b2c5c66d898e2a8f17c86d812680f181
40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
- op: add
|
|
path: "/spec/kubeadmConfigSpec/preKubeadmCommands/-"
|
|
value:
|
|
systemctl enable --now iptables-setup.service
|
|
- op: add
|
|
path: "/spec/kubeadmConfigSpec/files/-"
|
|
value:
|
|
path: /etc/systemd/system/iptables-setup.service
|
|
permissions: "0644"
|
|
owner: root:root
|
|
content: |
|
|
[Unit]
|
|
Description=Service to setup iptables
|
|
Wants=network-online.target
|
|
After=network.target network-online.target
|
|
|
|
[Service]
|
|
User=root
|
|
WorkingDirectory=/usr/bin
|
|
ExecStart=/usr/bin/iptables-setup.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
- op: add
|
|
path: "/spec/kubeadmConfigSpec/files/-"
|
|
value:
|
|
path: /usr/bin/iptables-setup.sh
|
|
permissions: "0744"
|
|
owner: root:root
|
|
content: |
|
|
#!/bin/bash
|
|
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
|
|
|
# activate ip_forwarding
|
|
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
|
|
# Uncomment the below two lines when SIP creates VMs on control plane nodes.
|
|
#iptables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -j ACCEPT
|
|
#iptables -t nat -A POSTROUTING -s REPLACEMENT_VM_SUBNET_CIDR -o REPLACEMENT_MGMT_INTF -j MASQUERADE
|
|
exit 0
|