Static outgoing IP in Kubernetes

21.7k views Asked by At

I run a k8s cluster in google cloud (GKE) and a MySQL server in aws (RDS). Pods need to connect to RDS which only allows connections from certain IP. How can I configure outgoing traffic to have a static IP?

4

There are 4 answers

4
Michele Orsi On

I made some research and I found a couple of things.

The thing we are looking for is called "egress IPs" or NAT-as-a-Service and they are both not yet available in GKE.

In any case we have two different options:

  1. create a NAT Gateway VM which acts as an egress proxy. Here is a nice article talking about that (google cloud NAT gateway)
  2. assign static IPs to container cluster VM instances

Hope it helps!

5
Luc Charpentier On

I had the same problem to connect to a sftp server from a Pod. To solve this, first you need to create an external IP address:

gcloud compute addresses create {{ EXT_ADDRESS_NAME }} --region {{ REGION }}

Then, I suppose that your pod is assigned to your default-pool node cluster. Extract your default-pool node name:

gcloud compute instances list | awk '{ print $1 }' | grep default-pool

Erase default external ip of the vm instance:

gcloud compute instances delete-access-config {{ VM_DEFAULT-POOL_INSTANCE }} --access-config-name external-nat

Add your external static ip created before:

gcloud compute instances add-access-config {{ VM_DEFAULT-POOL_INSTANCE }} --access-config-name external-nat --address {{ EXT_ADDRESS_IP }}

If your Pod is not attached to the default-pool node, don't forget to select it with a nodeSelector:

nodeSelector:
    cloud.google.com/gke-nodepool: {{ NODE_NAME }} 
0
matlab hater On

I know this is really old, but for me the solution is to create a private kubernetes cluster in google cloud. If the cluster is private then the nodes won't have any external ips. If the nodes don't have external ip's and we have a cloud nat, then all the out going traffic will have the same ip as cloud nat ip. All of this can be done through google cloud console.

I found this article to be informative on creating private cluster. https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters

If the cluster is private and you need to access it from some remote area, use this command:

gcloud container clusters update {cluster_name} --enable-master-authorized-networks --master-authorized-networks {CIDR notation of your ip}

NOTE: Create the cloud nat in the same region as the the kubernetes cluster. Also when creating the cloud nat, make sure you select 'manual' option for NAT ip addresses, then select one static ip you have. Leave the rest of the configuration to default unless you know what you're doing.

After everything is setup, kubectl exec to any of your pod running in any node. Use dig command to check your outgoing ip.

dig +short myip.opendns.com @resolver1.opendns.com

It should be the same as the cloud nat ip.

0
Marcin Bilski On

You can use kubeip, a pod that for every new node will assign an ip address from a predefined pool.