Creating and Configuring the IP Masquerade Agent

RETURN all -- anywhere 172.16.0.0/12 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL RETURN all -- anywhere 192.168.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL MASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL ``` By default, in GCE/Google Kubernetes Engine, if network policy is enabled or you are using a cluster CIDR not in the 10.0.0.0/8 range, the `ip-masq-agent` will run in your cluster. If you are running in another environment, you can add the `ip-masq-agent` [DaemonSet](/docs/concepts/workloads/controllers/daemonset/) to your cluster.  ## Create an ip-masq-agent To create an ip-masq-agent, run the following kubectl command: ```shell kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/ip-masq-agent/master/ip-masq-agent.yaml ``` You must also apply the appropriate node label to any nodes in your cluster that you want the agent to run on. ```shell kubectl label nodes my-node node.kubernetes.io/masq-agent-ds-ready=true ``` More information can be found in the ip-masq-agent documentation [here](https://github.com/kubernetes-sigs/ip-masq-agent). In most cases, the default set of rules should be sufficient; however, if this is not the case for your cluster, you can create and apply a [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) to customize the IP ranges that are affected. For example, to allow only 10.0.0.0/8 to be considered by the ip-masq-agent, you can create the following [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) in a file called "config". {{< note >}} It is important that the file is called config since, by default, that will be used as the key for lookup by the `ip-masq-agent`: ```yaml nonMasqueradeCIDRs: - 10.0.0.0/8 resyncInterval: 60s ``` {{< /note >}} Run the following command to add the configmap to your cluster: ```shell kubectl create configmap ip-masq-agent --from-file=config --namespace=kube-system ``` This will update a file located at `/etc/config/ip-masq-agent` which is periodically checked every `resyncInterval` and applied to the cluster node. After the resync interval has expired, you should see the iptables rules reflect your changes: ```shell iptables -t nat -L IP-MASQ-AGENT ``` ```none Chain IP-MASQ-AGENT (1 references) target prot opt source destination RETURN all -- anywhere 169.254.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL RETURN all -- anywhere 10.0.0.0/8 /* ip-masq-agent: cluster-local MASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL ``` By default, the link local range (169.254.0.0/16) is also handled by the ip-masq agent, which sets up the appropriate iptables rules. To have the ip-masq-agent ignore link local, you can set `masqLinkLocal` to true in the ConfigMap. ```yaml nonMasqueradeCIDRs: - 10.0.0.0/8 resyncInterval: 60s masqLinkLocal: true ```

To create an IP Masq Agent, apply the provided YAML file using `kubectl`. Nodes that should run the agent need to be labeled. The default rules are often sufficient, but a ConfigMap can be used to customize the affected IP ranges. An example is given for allowing only 10.0.0.0/8. Create a ConfigMap named `ip-masq-agent` in the `kube-system` namespace, and the agent will periodically check the `/etc/config/ip-masq-agent` file for changes and apply them. The link-local range (169.254.0.0/16) is handled by default, but you can set `masqLinkLocal` to true in the ConfigMap to ignore it.