devops-land · cbtibs · Jun 1, 2025
diff --git a/config/crd/bases/vpn.wireguard-operator.io_wireguards.yaml b/config/crd/bases/vpn.wireguard-operator.io_wireguards.yaml
@@ -115,6 +115,10 @@ spec:
                   be useful to enable if the peers are having problems with sending
                   traffic to the internet.
                 type: boolean
+              hostNetwork:
+                description: A boolean field that specifies whether the Wireguard
+                  VPN pod should run in the host network namespace.
+                type: boolean
               metric:
                 description: WireguardPodSpec defines spec for respective containers
                   created for Wireguard

diff --git a/pkg/api/v1alpha1/wireguard_types.go b/pkg/api/v1alpha1/wireguard_types.go
@@ -53,6 +53,8 @@ type WireguardSpec struct {
 	EnableIpForwardOnPodInit bool `json:"enableIpForwardOnPodInit,omitempty"`
 	// A boolean field that specifies whether to use the userspace implementation of Wireguard instead of the kernel one.
 	UseWgUserspaceImplementation bool `json:"useWgUserspaceImplementation,omitempty"`
+	// A boolean field that specifies whether the Wireguard VPN pod should run in the host network namespace.
+	HostNetwork bool `json:"hostNetwork,omitempty"`
 
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 	Agent        WireguardPodSpec  `json:"agent,omitempty"`

diff --git a/pkg/controllers/wireguard_controller.go b/pkg/controllers/wireguard_controller.go
@@ -863,6 +863,11 @@ func (r *WireguardReconciler) deploymentForWireguard(m *v1alpha1.Wireguard) *app
 		}
 	}
 
+	if m.Spec.HostNetwork {
+		dep.Spec.Template.Spec.HostNetwork = true
+		dep.Spec.Template.Spec.DNSPolicy = corev1.DNSClusterFirstWithHostNet
+	}
+
 	ctrl.SetControllerReference(m, dep, r.Scheme)
 	return dep
 }