wireguard-chart icon indicating copy to clipboard operation
wireguard-chart copied to clipboard
verified publisher icon bryopsida

What to consider when runPodOnHostNetwork = true

Open ALIP-0 opened this issue 1 year ago • 1 comments

What should be considered when setting runPodOnHostNetwork = TRUE ?

Must we amend other areas of the configuration ?

I am working off the assumption that the purpose of runPodOnHostNetwork = TRUE is to allow peers on any node/pod to communicate ?

ALIP-0 avatar Sep 17 '24 15:09 ALIP-0

Typically you would also want to run as daemonset as well.

Here's an example value override for a daemonset: https://github.com/bryopsida/wireguard-chart/blob/main/ci/test-with-healthsidecar-daemonset-hostport.yaml.

Some things to be aware of related to that setting

  • https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
  • https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podspec-v1-core image

I am working off the assumption that the purpose of runPodOnHostNetwork = TRUE is to allow peers on any node/pod to communicate ?

There's probably more cases/reasons one might want to use it but here's a few

  • Removes the overhead of ingressing through a kubernetes service and instead exposes the WG server listening port directly on the node's network
  • Depending on network, may reduce complexity of hooks with iptable rules to setup NAT.

bryopsida avatar Sep 24 '24 01:09 bryopsida