siderolabs
diff --git a/‎api/resource/definitions/cluster/cluster.proto‎
Lines changed: 1 addition & 0 deletions b/‎api/resource/definitions/cluster/cluster.proto‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/resource/definitions/kubespan/kubespan.proto‎
Lines changed: 1 addition & 0 deletions b/‎api/resource/definitions/kubespan/kubespan.proto‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎hack/release.toml‎
Lines changed: 9 additions & 0 deletions b/‎hack/release.toml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎internal/app/machined/pkg/controllers/cluster/discovery_service.go‎
Lines changed: 16 additions & 0 deletions b/‎internal/app/machined/pkg/controllers/cluster/discovery_service.go‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎internal/app/machined/pkg/controllers/cluster/discovery_service_test.go‎
Lines changed: 18 additions & 4 deletions b/‎internal/app/machined/pkg/controllers/cluster/discovery_service_test.go‎
Lines changed: 18 additions & 4 deletions
diff --git a/‎internal/app/machined/pkg/controllers/cluster/local_affiliate.go‎
Lines changed: 2 additions & 0 deletions b/‎internal/app/machined/pkg/controllers/cluster/local_affiliate.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go‎
Lines changed: 2 additions & 0 deletions b/‎internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎internal/app/machined/pkg/controllers/kubespan/config.go‎
Lines changed: 1 addition & 0 deletions b/‎internal/app/machined/pkg/controllers/kubespan/config.go‎
Lines changed: 1 addition & 0 deletions
@@ -56,6 +56,7 @@ message KubeSpanAffiliateSpec {
   common.NetIP address = 2;
   repeated common.NetIPPrefix additional_addresses = 3;
   repeated common.NetIPPort endpoints = 4;
+  repeated common.NetIPPrefix exclude_advertised_networks = 5;
 }
 
 // MemberSpec describes Member state.
 
@@ -20,6 +20,7 @@ message ConfigSpec {
   repeated string endpoint_filters = 7;
   bool harvest_extra_endpoints = 8;
   repeated common.NetIPPort extra_endpoints = 9;
+  repeated common.NetIPPrefix exclude_advertised_networks = 10;
 }
 
 // EndpointSpec describes Endpoint state.
 
@@ -137,7 +137,7 @@ require (
 	github.com/safchain/ethtool v0.7.0
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36
 	github.com/siderolabs/crypto v0.6.4
-	github.com/siderolabs/discovery-api v0.1.6
+	github.com/siderolabs/discovery-api v0.1.8
 	github.com/siderolabs/discovery-client v0.1.13
 	github.com/siderolabs/gen v0.8.6
 	github.com/siderolabs/go-api-signature v0.3.12
 
@@ -634,8 +634,8 @@ github.com/siderolabs/coredns v1.14.53 h1:rwWyicwWFcu+i8OV0WT1u2W46J/iIReqzm+pSv
 github.com/siderolabs/coredns v1.14.53/go.mod h1:KAGRTpTbhrScGMhiLsgnzo30OgiBBut1Y5XTuG1V+BQ=
 github.com/siderolabs/crypto v0.6.4 h1:uMoe/X/mABOv6yOgvKcjmjIMdv6U8JegBXlPKtyjn3g=
 github.com/siderolabs/crypto v0.6.4/go.mod h1:39B7Mdrd8qTfEYOjsWPQOk7gLTWrEI30isAW+YYj9nk=
-github.com/siderolabs/discovery-api v0.1.6 h1:/LhsF1ytqFEfWwV0UKfUgn90k9fk5+rhYMJ9yeUB2yc=
-github.com/siderolabs/discovery-api v0.1.6/go.mod h1:s5CnTyRMGid/vJNSJs8Jw9I4tnKHu/2SGqP2ytTaePQ=
+github.com/siderolabs/discovery-api v0.1.8 h1:Hq/Si0fFQICvdT+P/I81fRf9t5I+J6vaJNBvgehv8GE=
+github.com/siderolabs/discovery-api v0.1.8/go.mod h1:JN8aBpnsArIeLNLbqt3HIYHyFR14Qfwr4etAB2ZfygA=
 github.com/siderolabs/discovery-client v0.1.13 h1:s0iK2ixopCFFgQ5zZmzsQ8xf8Hd+SygrUdlhE+um6iQ=
 github.com/siderolabs/discovery-client v0.1.13/go.mod h1:kojlX4Kk0o9wsbJU1XOy4BH0W6RMg2I2d8WJ4ciK3qU=
 github.com/siderolabs/ethtool v0.4.0-sidero h1:Ls/M4bFUjfcB1RDVviPZlL3kWcXaEVVSbKke+EZ2A9U=
 
@@ -204,6 +204,15 @@ cluster:
 ```
 
 (If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)
+"""
+
+    [notes.kubespan-filters]
+        title = "KubeSpan Advertised Network Filters"
+        description = """\
+KubeSpan now supports filtering of advertised networks using the `excludeAdvertisedNetworks` field in the `KubeSpanConfig` document.
+This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
+pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
+and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.
 """
 
 [make_deps]
 
@@ -355,6 +355,12 @@ func pbAffiliate(affiliate *cluster.AffiliateSpec) *pb.Affiliate {
 					Ip:   takeResult(address.Addr().MarshalBinary()),
 				}
 			}),
+			ExcludeAdvertisedAddresses: xslices.Map(affiliate.KubeSpan.ExcludeAdvertisedNetworks, func(address netip.Prefix) *pb.IPPrefix {
+				return &pb.IPPrefix{
+					Bits: uint32(address.Bits()),
+					Ip:   takeResult(address.Addr().MarshalBinary()),
+				}
+			}),
 		}
 	}
 
@@ -498,6 +504,16 @@ func specAffiliate(affiliate *pb.Affiliate, endpoints []*pb.Endpoint) cluster.Af
 				result.KubeSpan.Endpoints = append(result.KubeSpan.Endpoints, netip.AddrPortFrom(ip, uint16(endpoints[i].Port)))
 			}
 		}
+
+		result.KubeSpan.ExcludeAdvertisedNetworks = make([]netip.Prefix, 0, len(affiliate.Kubespan.ExcludeAdvertisedAddresses))
+
+		for i := range affiliate.Kubespan.ExcludeAdvertisedAddresses {
+			var ip netip.Addr
+
+			if err := ip.UnmarshalBinary(affiliate.Kubespan.ExcludeAdvertisedAddresses[i].Ip); err == nil {
+				result.KubeSpan.ExcludeAdvertisedNetworks = append(result.KubeSpan.ExcludeAdvertisedNetworks, netip.PrefixFrom(ip, int(affiliate.Kubespan.ExcludeAdvertisedAddresses[i].Bits)))
+			}
+		}
 	}
 
 	return result
 
@@ -83,10 +83,11 @@ func (suite *DiscoveryServiceSuite) TestReconcile() {
 		MachineType: machine.TypeControlPlane,
 		Addresses:   []netip.Addr{netip.MustParseAddr("192.168.3.4")},
 		KubeSpan: cluster.KubeSpanAffiliateSpec{
-			PublicKey:           "PLPNBddmTgHJhtw0vxltq1ZBdPP9RNOEUd5JjJZzBRY=",
-			Address:             netip.MustParseAddr("fd50:8d60:4238:6302:f857:23ff:fe21:d1e0"),
-			AdditionalAddresses: []netip.Prefix{netip.MustParsePrefix("10.244.3.1/24")},
-			Endpoints:           []netip.AddrPort{netip.MustParseAddrPort("10.0.0.2:51820"), netip.MustParseAddrPort("192.168.3.4:51820")},
+			PublicKey:                 "PLPNBddmTgHJhtw0vxltq1ZBdPP9RNOEUd5JjJZzBRY=",
+			Address:                   netip.MustParseAddr("fd50:8d60:4238:6302:f857:23ff:fe21:d1e0"),
+			AdditionalAddresses:       []netip.Prefix{netip.MustParsePrefix("10.244.3.1/24")},
+			Endpoints:                 []netip.AddrPort{netip.MustParseAddrPort("10.0.0.2:51820"), netip.MustParseAddrPort("192.168.3.4:51820")},
+			ExcludeAdvertisedNetworks: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		},
 		ControlPlane: &cluster.ControlPlane{APIServerPort: 6443},
 	}
@@ -141,6 +142,12 @@ func (suite *DiscoveryServiceSuite) TestReconcile() {
 							Bits: 24,
 						},
 					},
+					ExcludeAdvertisedAddresses: []*pb.IPPrefix{
+						{
+							Ip:   []byte("\x00\x00\x00\x00"),
+							Bits: 0,
+						},
+					},
 				},
 				ControlPlane: &pb.ControlPlane{ApiServerPort: 6443},
 			}, affiliates[0].Affiliate))
@@ -179,6 +186,12 @@ func (suite *DiscoveryServiceSuite) TestReconcile() {
 						Bits: 24,
 					},
 				},
+				ExcludeAdvertisedAddresses: []*pb.IPPrefix{
+					{
+						Ip:   []byte("\x01\x01\x01\x01"),
+						Bits: 32,
+					},
+				},
 			},
 		},
 		Endpoints: []*pb.Endpoint{
@@ -204,6 +217,7 @@ func (suite *DiscoveryServiceSuite) TestReconcile() {
 			suite.Assert().Equal(netip.MustParseAddr("fd50:8d60:4238:6302:f857:23ff:fe21:d1e1"), spec.KubeSpan.Address)
 			suite.Assert().Equal("1CXkdhWBm58c36kTpchR8iGlXHG1ruHa5W8gsFqD8Qs=", spec.KubeSpan.PublicKey)
 			suite.Assert().Equal([]netip.Prefix{netip.MustParsePrefix("10.244.4.1/24")}, spec.KubeSpan.AdditionalAddresses)
+			suite.Assert().Equal([]netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")}, spec.KubeSpan.ExcludeAdvertisedNetworks)
 			suite.Assert().Equal([]netip.AddrPort{netip.MustParseAddrPort("192.168.3.5:51820")}, spec.KubeSpan.Endpoints)
 			suite.Assert().Zero(spec.ControlPlane)
 		},
 
@@ -256,6 +256,8 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 						spec.KubeSpan.AdditionalAddresses = nil
 					}
 
+					spec.KubeSpan.ExcludeAdvertisedNetworks = kubespanConfig.TypedSpec().ExcludeAdvertisedNetworks
+
 					endpointIPs := xslices.Filter(currentNodeIPs, func(ip netip.Addr) bool {
 						if ip == spec.KubeSpan.Address {
 							// skip kubespan local address
 
@@ -76,6 +76,7 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 	ksConfig.TypedSpec().EndpointFilters = []string{"0.0.0.0/0", "!192.168.0.0/16", "2001::/16"}
 	ksConfig.TypedSpec().AdvertiseKubernetesNetworks = true
 	ksConfig.TypedSpec().ExtraEndpoints = []netip.AddrPort{netip.MustParseAddrPort("10.5.0.1:51820"), netip.MustParseAddrPort("1.2.3.4:5678")}
+	ksConfig.TypedSpec().ExcludeAdvertisedNetworks = []netip.Prefix{netip.MustParsePrefix("2001:123:4567::/64")}
 	suite.Require().NoError(suite.state.Create(suite.ctx, ksConfig))
 
 	// add KS address to the list of node addresses, it should be ignored in the endpoints
@@ -115,6 +116,7 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 
 		asrt.NotZero(spec.KubeSpan.PublicKey)
 		asrt.NotZero(spec.KubeSpan.AdditionalAddresses)
+		asrt.Len(spec.KubeSpan.ExcludeAdvertisedNetworks, 1)
 
 		asrt.Equal(ksIdentity.TypedSpec().Address.Addr(), spec.KubeSpan.Address)
 		asrt.Equal(ksIdentity.TypedSpec().PublicKey, spec.KubeSpan.PublicKey)
 
@@ -52,6 +52,7 @@ func NewConfigController() *ConfigController {
 
 						if c.NetworkKubeSpanConfig().Filters() != nil {
 							res.TypedSpec().EndpointFilters = c.NetworkKubeSpanConfig().Filters().Endpoints()
+							res.TypedSpec().ExcludeAdvertisedNetworks = c.NetworkKubeSpanConfig().Filters().ExcludeAdvertisedNetworks()
 						}
 					}
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,7 @@ message KubeSpanAffiliateSpec {`
`56`	`56`	`common.NetIP address = 2;`
`57`	`57`	`repeated common.NetIPPrefix additional_addresses = 3;`
`58`	`58`	`repeated common.NetIPPort endpoints = 4;`
	`59`	`+ repeated common.NetIPPrefix exclude_advertised_networks = 5;`
`59`	`60`	`}`
`60`	`61`
`61`	`62`	`// MemberSpec describes Member state.`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ message ConfigSpec {`
`20`	`20`	`repeated string endpoint_filters = 7;`
`21`	`21`	`bool harvest_extra_endpoints = 8;`
`22`	`22`	`repeated common.NetIPPort extra_endpoints = 9;`
	`23`	`+ repeated common.NetIPPrefix exclude_advertised_networks = 10;`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`// EndpointSpec describes Endpoint state.`
Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,12 @@ func pbAffiliate(affiliate cluster.AffiliateSpec) pb.Affiliate {`
`355`	`355`	`Ip: takeResult(address.Addr().MarshalBinary()),`
`356`	`356`	`}`
`357`	`357`	`}),`
	`358`	`+ ExcludeAdvertisedAddresses: xslices.Map(affiliate.KubeSpan.ExcludeAdvertisedNetworks, func(address netip.Prefix) *pb.IPPrefix {`
	`359`	`+ return &pb.IPPrefix{`
	`360`	`+ Bits: uint32(address.Bits()),`
	`361`	`+ Ip: takeResult(address.Addr().MarshalBinary()),`
	`362`	`+ }`
	`363`	`+ }),`
`358`	`364`	`}`
`359`	`365`	`}`
`360`	`366`
`@@ -498,6 +504,16 @@ func specAffiliate(affiliate pb.Affiliate, endpoints []pb.Endpoint) cluster.Af`
`498`	`504`	`result.KubeSpan.Endpoints = append(result.KubeSpan.Endpoints, netip.AddrPortFrom(ip, uint16(endpoints[i].Port)))`
`499`	`505`	`}`
`500`	`506`	`}`
	`507`	`+`
	`508`	`+ result.KubeSpan.ExcludeAdvertisedNetworks = make([]netip.Prefix, 0, len(affiliate.Kubespan.ExcludeAdvertisedAddresses))`
	`509`	`+`
	`510`	`+ for i := range affiliate.Kubespan.ExcludeAdvertisedAddresses {`
	`511`	`+ var ip netip.Addr`
	`512`	`+`
	`513`	`+ if err := ip.UnmarshalBinary(affiliate.Kubespan.ExcludeAdvertisedAddresses[i].Ip); err == nil {`
	`514`	`+ result.KubeSpan.ExcludeAdvertisedNetworks = append(result.KubeSpan.ExcludeAdvertisedNetworks, netip.PrefixFrom(ip, int(affiliate.Kubespan.ExcludeAdvertisedAddresses[i].Bits)))`
	`515`	`+ }`
	`516`	`+ }`
`501`	`517`	`}`
`502`	`518`
`503`	`519`	`return result`
Original file line number	Diff line number	Diff line change
`@@ -256,6 +256,8 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt`
`256`	`256`	`spec.KubeSpan.AdditionalAddresses = nil`
`257`	`257`	`}`
`258`	`258`
	`259`	`+ spec.KubeSpan.ExcludeAdvertisedNetworks = kubespanConfig.TypedSpec().ExcludeAdvertisedNetworks`
	`260`	`+`
`259`	`261`	`endpointIPs := xslices.Filter(currentNodeIPs, func(ip netip.Addr) bool {`
`260`	`262`	`if ip == spec.KubeSpan.Address {`
`261`	`263`	`// skip kubespan local address`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ func NewConfigController() *ConfigController {`
`52`	`52`
`53`	`53`	`if c.NetworkKubeSpanConfig().Filters() != nil {`
`54`	`54`	`res.TypedSpec().EndpointFilters = c.NetworkKubeSpanConfig().Filters().Endpoints()`
	`55`	`+ res.TypedSpec().ExcludeAdvertisedNetworks = c.NetworkKubeSpanConfig().Filters().ExcludeAdvertisedNetworks()`
`55`	`56`	`}`
`56`	`57`	`}`
`57`	`58`