I have been playing a little with a small mesos cluster. I wanted to have my tasks run with a different ip adres range from the host and on a tunnel device. Since the host was already using macvtap interfaces, I decided to create a cni macvtap plugin. Tasks of course fail to launch, because the mesos agent/slave cannot reach them. So I decided to create host routes that would allow this communication to succeed, details here[0]. Is this a bad implementation (security or otherwise)? I thought not, because if you use the portmapper or bridge plugin you have similar traffic possible. The plugin will automatically create the host route via this configuration setting [1] [0] https://github.com/f1-outsourcing/plugins/blob/master/plugins/main/macvtap/macvtap-routing.md [1] https://github.com/f1-outsourcing/plugins/tree/master/plugins/main/macvtap#hostrouteif
