Using NAT with bridge

The bridge plugin can be configured to create a separate network on the host that will be NAT'ed similar to the default network. The difference to a ptp configured network is that the pods will be able to communicate directly through the bridge and don't have to pass the host as a gateway.

$ cat /etc/rkt/net.d/10-bridge-nat.conf
    "name": "bridge-nat",
    "type": "bridge",
    "bridge": "rkt-bridge-nat",
    "ipMasq": true,
    "isGateway": true,
    "ipam": {
        "type": "host-local",
        "subnet": "",
        "routes": [
                { "dst": "" }

This will add a bridge interface named rkt-bridge-nat on the host and attach the pod's veth endpoint to it. It will not attach any other interface to the bridge, which remains the user's responsibility.

Inside the pod, the interface configuration looks like this:

$ sudo rkt run --net=bridge-nat --interactive --debug
# ip -4 address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
    inet scope host lo
       valid_lft forever preferred_lft forever
3: eth0@if68: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    inet scope global eth0
       valid_lft forever preferred_lft forever
5: eth1@if69: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    inet scope global eth1
       valid_lft forever preferred_lft forever
# ip -4 route
default via dev eth0 dev eth0  src via dev eth1  src dev eth1  src

Note that the default-restricted network has been loaded in addition to the requested network.