Add explanation for Pod IP addresses.

terraform/modules/cluster/main.tf

@@ -72,7 +72,12 @@ variable "cluster_exists" {
 variable "routes_based" {
   description = "Set to true to create a routes-based cluster instead of VPC Native. This is mostly for testing."
   type        = bool
-  default     = true
+  default     = false
+}
+
+variable "enable_snat" {
+  description = "Whether we should enable source network address translation to the node IP address."
+  type        = bool
 }
 
 output "gke_connect_command" {

terraform/modules/cluster/workload.tf

@@ -35,5 +35,6 @@ module "workload" {
   dns_managed_zone                       = var.dns_managed_zone
   public_ingress                         = var.public_ingress
   ingress_type                           = var.ingress_type
+  enable_snat                            = var.enable_snat
   main_k8s_namespace                     = var.main_k8s_namespace
 }

terraform/modules/k8s_workload/ip_masq.tf

@@ -0,0 +1,14 @@
+resource "kubernetes_config_map" "ip_masq_agent" {
+  count = var.enable_snat ? 1 : 0
+
+  metadata {
+    name      = "ip-masq-agent"
+    namespace = "kube-system"
+  }
+
+  data = {
+    config = "nonMasqueradeCIDRs:\n  - 100.64.0.0/19\n  - 240.10.0.0/17\nmasqLinkLocal: false\nresyncInterval: 60s\n"
+  }
+
+  depends_on = [var.node_pool]
+}

terraform/modules/k8s_workload/main.tf

@@ -29,6 +29,11 @@ variable "main_k8s_namespace" {
   type = string
 }
 
+variable "enable_snat" {
+  description = "Whether we should enable source network address translation to the node IP address."
+  type        = bool
+}
+
 # Provide time for Service cleanup
 resource "time_sleep" "wait_service_cleanup" {
   depends_on = [var.cluster]