[systemd-devel] help with systemd-networkd and corner case (?) setup

Felix Rubio felix at kngnt.org
Sat Jun 7 13:39:40 UTC 2025 

Hi everybody,

I am trying to setup a scenario in which I have a kubernetes cluster and a set 
of podman containers providing services to it (e.g., postgresql). I'd like 
these services to be accessible by the cluster only. To this end, I am 
creating a veth pair (veth-host and veth-cluster), and then I move the veth-
host inside of a namespace (I am following chatgpt on this).

I am not that sure that what I am doing is correct here, also because the 
moment I move veth-host inside the namespace, restarting systemd-networkd is a 
pain (cannot bring up veth-host because it finds it still exist).

Can anybody provide advice on a proper, clean, way to achieve this? I have 
spent some hours in circles and I am running out of ideas. 

These are my files. veth-host is being bridged to podman0, the interface the 
containers will be binding to (I think I should be able to use directly veth-
host, but chatgpt strongly disagrees?).

Thank you very much for your time and work!

==== veth-host.netdev
[NetDev]
Name=veth-host
Kind=veth

[Peer]
Name=veth-cluster

==== veth-host.network
[Match]
Name=veth-host

[Network]
Bridge=podman0

==== veth-cluster.network
[Match]
Name=veth-cluster

[Network]

==== cluster-private-netns.service
[Unit]
Description=Move veth-host into 'cluster-ns' network namespace
Requires=systemd-networkd.service
After=systemd-networkd.service

[Service]
Type=oneshot
ExecStartPre=/bin/bash -c '[ -e /var/run/netns/cluster-ns ] || ip netns add 
cluster-ns'
ExecStartPre=/bin/bash -c ' \
  nft add table inet filter && \
  nft add chain inet filter input { type filter hook input priority 0 \; policy 
accept \; } && \
  nft add rule inet filter input iifname "veth-host" ip saddr != {{ 
private_cluster_veth_ip.split("/")[0] }} drop \
'

ExecStart=/bin/bash -c '\
    ip link set veth-host netns cluster-ns && \
    ip netns exec cluster-ns ip addr add 10.44.0.1 dev veth-host && \
    ip netns exec cluster-ns ip link set veth-host up && \
    ip netns exec cluster-ns ip link set lo up && \
    ip netns exec cluster-ns ip route add default via 10.44.0.1 \
'
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

More information about the systemd-devel mailing list