Support cilium ip-masq-agent configuration (#8893)

* fix deploy Cilium with eBPF-based Masquerading failed Signed-off-by: mahjonp <junpeng.man@gmail.com> * forget to add the enable-ip-masq-agent flag Signed-off-by: mahjonp <junpeng.man@gmail.com>
2026-02-18 11:40:10 -03:30 · 2022-06-01 00:26:53 +08:00
parent 1600fd9082
commit c927da00e0
3 changed files with 56 additions and 0 deletions
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -99,6 +99,29 @@ cilium_ipsec_node_encryption: "false"
 # This option is only effective when `cilium_encryption_type` is set to `wireguard`.
 cilium_wireguard_userspace_fallback: "false"

+# IP Masquerade Agent
+# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
+# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
+cilium_ip_masq_agent_enable: false
+### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
+cilium_non_masquerade_cidrs:
+  - 10.0.0.0/8
+  - 172.16.0.0/12
+  - 192.168.0.0/16
+  - 100.64.0.0/10
+  - 192.0.0.0/24
+  - 192.0.2.0/24
+  - 192.88.99.0/24
+  - 198.18.0.0/15
+  - 198.51.100.0/24
+  - 203.0.113.0/24
+  - 240.0.0.0/4
+### Indicates whether to masquerade traffic to the link local prefix.
+### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
+cilium_masq_link_local: false
+### A time interval at which the agent attempts to reload config from disk
+cilium_ip_masq_resync_interval: 60s
+
 # Hubble
 ### Enable Hubble without install
 cilium_enable_hubble: false