Static outgoing IP in Kubernetes

前端 未结 4 910
一整个雨季
一整个雨季 2020-12-04 21:40

I run a k8s cluster in google cloud (GKE) and a MySQL server in aws (RDS). Pods need to connect to RDS which only allows connections from certain IP. How can I configure out

相关标签:
4条回答
  • 2020-12-04 22:11

    I made some research and I found a couple of things.

    The thing we are looking for is called "egress IPs" or NAT-as-a-Service and they are both not yet available in GKE.

    In any case we have two different options:

    1. create a NAT Gateway VM which acts as an egress proxy. Here is a nice article talking about that (google cloud NAT gateway)
    2. assign static IPs to container cluster VM instances

    Hope it helps!

    0 讨论(0)
  • 2020-12-04 22:20

    I had the same problem to connect to a sftp server from a Pod. To solve this, first you need to create an external IP address:

    gcloud compute addresses create {{ EXT_ADDRESS_NAME }} --region {{ REGION }}
    

    Then, I suppose that your pod is assigned to your default-pool node cluster. Extract your default-pool node name:

    gcloud compute instances list | awk '{ print $1 }' | grep default-pool
    

    Erase default external ip of the vm instance:

    gcloud compute instances delete-access-config {{ VM_DEFAULT-POOL_INSTANCE }} --access-config-name external-nat
    

    Add your external static ip created before:

    gcloud compute instances add-access-config {{ VM_DEFAULT-POOL_INSTANCE }} --access-config-name external-nat --address {{ EXT_ADDRESS_IP }}
    

    If your Pod is not attached to the default-pool node, don't forget to select it with a nodeSelector:

    nodeSelector:
        cloud.google.com/gke-nodepool: {{ NODE_NAME }} 
    
    0 讨论(0)
  • 2020-12-04 22:32

    I know this is really old, but for me the solution is to create a private kubernetes cluster in google cloud. If the cluster is private then the nodes won't have any external ips. If the nodes don't have external ip's and we have a cloud nat, then all the out going traffic will have the same ip as cloud nat ip. All of this can be done through google cloud console.

    I found this article to be informative on creating private cluster. https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters

    If the cluster is private and you need to access it from some remote area, use this command:

    gcloud container clusters update {cluster_name} --enable-master-authorized-networks --master-authorized-networks {CIDR notation of your ip}

    NOTE: Create the cloud nat in the same region as the the kubernetes cluster. Also when creating the cloud nat, make sure you select 'manual' option for NAT ip addresses, then select one static ip you have. Leave the rest of the configuration to default unless you know what you're doing.

    After everything is setup, kubectl exec to any of your pod running in any node. Use dig command to check your outgoing ip.

    dig +short myip.opendns.com @resolver1.opendns.com

    It should be the same as the cloud nat ip.

    0 讨论(0)
  • 2020-12-04 22:32

    You can use kubeip, a pod that for every new node will assign an ip address from a predefined pool.

    0 讨论(0)
提交回复
热议问题