A lot of users want to access kubernetes services from outside the cluster, but on the same private network. With the userspace kube-proxy, there are a couple of hacks that could make this work:

1. Run kube-proxy wherever you want to access those services.
2. Create bastion route(s) to funnel traffic to services to a cluster node.

The iptables kube-proxy breaks option 2. Traffic from a client that is bastioned to node A, but kube-proxied to a Pod on node B gets a response directly to the client, who is expecting to see a response from the service IP.

One workaround is to masquerade traffic from IPs outside of the cluster. It means that we don't see true client IPs, but that was the case with the bastion route w/ the userspace proxy anyway.

So, could we add a flag to kube-proxy that gets it to maintain a masquerade rule for off-cluster traffic? Something like:

iptables -t nat -I POSTROUTING ! -s "${CLUSTER_CIDR}" -j MASQUERADE