Wigglenet is a network plugin for Kubernetes geared towards dual-stack clusters. Wigglenet seeks to achieve the following goals in order:
- Simplicity and minimalism
- Support idiosyncratic IPv6 allocation strategies of various cloud providers (preferably without resorting to ULA addresses / NAT)
- Being a viable network plugin for small to medium sized production clusters
Note that the last goal is not achieved yet. Wigglenet should be considered experimental and only used in non-critical clusters for the time being.
Wigglenet uses the standard ptp
CNI plugin with host-local
IPAM to allocate IP addresses to pods based on the node subnets. Wigglenet also establishes an overlay network using Wireguard. In addition to encapsulation, this also provides hassle-free encryption of pod-to-pod traffic.
Wigglenet runs as a daemonset on every node and does the following things:
- Initializes each new node on startup, sets up the Wireguard interface and writes the CNI configuration
- Runs a controller on each node that adjusts the Wireguard peer configuration, local routing table and iptables rules for filtering and masquerading as nodes come and go
Wigglenet explicitely supports and encourages allocation of public IPv6 addresses to pods and offers a variety of pod network selection methods. See Pod network selection for details.
To install Wigglenet on a dual-stack cluster with the default settings:
kubectl apply -f https://raw.githubusercontent.com/tibordp/wigglenet/v0.4.4/deploy/manifest.yaml
The default configuration should work out of the box for a cluster created with kubeadm using the official dual-stack tutorial. It will enable masquerading for both IPv6 and IPv4 addresses.
Use the following manifest if the cluster is single-stack (IPv6 only):
kubectl apply -f https://raw.githubusercontent.com/tibordp/wigglenet/v0.4.4/deploy/ipv6_only.yaml
For configuration options see the docs
- Wigglenet does not currently support
NetworkPolicy
- Host-to-host traffic does not pass through the Wireguard tunnel, so it is not encrypted. This is not a major issue as services using host networking generally use TLS, but there are some notable exceptions (e.g. the default configuration for Prometheus node-exporter).
Feedback, bug reports and pull requests are most welcome! Build and test with:
go mod download
go build ./...
go test ./...
See Makefile and example manifests for experimenting with Wigglenet locally using kind. For example:
# Create a dual-stuck kind cluster with default settings
make kind-default
# Build Docker image and load it to all the nodes
make image
# Install Wigglenet
make deploy
Wigglenet is inspired by kindnet, kind's default network plugin.