this is why i am asking about calico. something has to assign ip addresses to pods/containers. calico seems to be able to do this on AWS VPC with a bespoke integration, and seems smart enough to know when it's supposed to do that. i can specify it should use VPC integration for AWS subnets... somehow. otherwise, it appears its daemon creates a subnet for pods on each host, and then routes traffic from them to a host's network interface. this suggests two approaches: (1) use the physical network interface and a router that moves traffic to the VPC nodes and vice versa. this is two gateways, one in each network. (2) each host (k8s node) would have netclient installed, and tell calico to use the wireguard interface.