kg
kg is the Kilo agent that runs on every Kubernetes node in a Kilo mesh.
It performs several key functions, including:
- adding the node to the Kilo mesh;
- installing CNI configuration on the node;
- configuring the WireGuard network interface; and
- maintaining routing table entries and iptables rules.
kg is typically installed on all nodes of a Kubernetes cluster using a DaemonSet.
Example manifests can be found in the manifests directory.
Usage
The behavior of kg can be configured using the command line flags listed below.
kg is the Kilo agent.
It runs on every node of a cluster,
setting up the public and private keys for the VPN
as well as the necessary rules to route packets between locations.
Usage:
kg [flags]
kg [command]
Available Commands:
completion generate the autocompletion script for the specified shell
help Help about any command
version Print the version and exit.
webhook webhook starts a HTTPS server to validate updates and creations of Kilo peers.
Flags:
--backend string The backend for the mesh. Possible values: kubernetes (default "kubernetes")
--clean-up Should kilo clean up network modifications on shutdown? (default true)
--clean-up-interface Should Kilo delete its interface when it shuts down?
--cni Should Kilo manage the node's CNI configuration? (default true)
--cni-path string Path to CNI config. (default "/etc/cni/net.d/10-kilo.conflist")
--compatibility string Should Kilo run in compatibility mode? Possible values: flannel
--create-interface Should kilo create an interface on startup? (default true)
--encapsulate string When should Kilo encapsulate packets within a location? Possible values: never, crosssubnet, always (default "always")
-h, --help help for kg
--hostname string Hostname of the node on which this process is running.
--interface string Name of the Kilo interface to use; if it does not exist, it will be created. (default "kilo0")
--iptables-forward-rules Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!
--kubeconfig string Path to kubeconfig.
--listen string The address at which to listen for health and metrics. (default ":1107")
--local Should Kilo manage routes within a location? (default true)
--log-level string Log level to use. Possible values: all, debug, info, warn, error, none (default "info")
--master string The address of the Kubernetes API server (overrides any value in kubeconfig).
--mesh-granularity string The granularity of the network mesh to create. Possible values: location, full (default "location")
--mtu uint The MTU of the WireGuard interface created by Kilo. (default 1420)
--port int The port over which WireGuard peers should communicate. (default 51820)
--prioritise-private-addresses Prefer to assign a private IP address to the node's endpoint.
--resync-period duration How often should the Kilo controllers reconcile? (default 30s)
--service-cidr strings The service CIDR for the Kubernetes cluster. Can be provided optionally to avoid masquerading packets sent to service IPs. Can be specified multiple times.
--subnet string CIDR from which to allocate addresses for WireGuard interfaces. (default "10.4.0.0/16")
--topology-label string Kubernetes node label used to group nodes into logical locations. (default "topology.kubernetes.io/region")
--version Print version and exit