Google Kubernetes Engine without going NAT with kubeIP!
423 views
Skip to first unread message
Vadim Solovey
Jun 21, 2018, 10:54:01 AM6/21/18
to Kubernetes developer/contributor discussion
Many applications need to be whitelisted by consumers based on source IP address, usually for security reasons. As of today, Google Kubernetes Engine doesn’t support assigning a static pool of addresses to GKE cluster and requires the deployment of a complex NAT based solution which is expensive, hard to maintain and requires a complex set of rules for load-balancing and redundancy
Ihor Dvoretskyi
Jun 21, 2018, 2:35:19 PM6/21/18
to Vadim Solovey, Kubernetes developer/contributor discussion
Vadim, great to hear!
At the same time, I'd encourage you to use https://discuss.kubernetes.io/ next time, which is the best resource at Kubernetes community for the similar announcements.
kubernetes-dev is the development-specific mailing list.
Thanks
At the same time, I'd encourage you to use https://discuss.kubernetes.io/ next time, which is the best resource at Kubernetes community for the similar announcements.
kubernetes-dev is the development-specific mailing list.
Thanks
--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-dev@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/5b887c42-fa36-4d57-95c5-9c79e68ce0ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tim Hockin
Jun 21, 2018, 6:31:06 PM6/21/18
to va...@doit-intl.com, Kubernetes developer/contributor discussion
This is pretty cool. I really like this.
--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-de...@googlegroups.com.
To post to this group, send email to kuberne...@googlegroups.com.
William Denniss
Jun 21, 2018, 9:16:36 PM6/21/18
to Tim Hockin, Vadim Solovey, Kubernetes developer/contributor discussion
Very impressive work Vadim. I gave it a try today, and everything pretty much worked as expected (and I've added some comments in the issue tracker). I can see a lot of people finding this useful to solve their IP whitelisting needs.
If node labels are added by kubeIP, it could also enable some static-IP HostPort use-cases for incoming connections.
On Thu, Jun 21, 2018 at 3:30 PM, 'Tim Hockin' via Kubernetes developer/contributor discussion <kuberne...@googlegroups.com> wrote:
This is pretty cool. I really like this.
On Thu, Jun 21, 2018 at 7:54 AM Vadim Solovey <va...@doit-intl.com> wrote:
Many applications need to be whitelisted by consumers based on source IP address, usually for security reasons. As of today, Google Kubernetes Engine doesn’t support assigning a static pool of addresses to GKE cluster and requires the deployment of a complex NAT based solution which is expensive, hard to maintain and requires a complex set of rules for load-balancing and redundancy--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-dev@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/5b887c42-fa36-4d57-95c5-9c79e68ce0ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/CAO_RewZWCnXKd4tBh0mNiFXGu3NO5xD48b%3DAsf_RfZfmjjaM3Q%40mail.gmail.com.To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-dev@googlegroups.com.
Dhananjay Sathe
Jun 25, 2018, 4:06:30 AM6/25/18
to Vadim Solovey, Kubernetes developer/contributor discussion
What specific 1.10 features are in use here? we have a 1.9.4 based cluster and would love to use something like this ?
Give the use of a NAT gateway Also does
this apply to all traffic from all nodes ? in that case the incoming and outgoing ip will
be different , is that likely to cause issues in some applications that
rely on the inbound-outbound being the same ?
Vadim Solovey
Jun 25, 2018, 4:34:47 AM6/25/18
to dhananj...@gmail.com, kuberne...@googlegroups.com
As far as I see, no specific features of 1.10 are being used. However, we didn't test it with previous versions of K8s, hence the 10.x requirement. Feel free to deploy and test on your cluster and if everything works as expected, I'll update the requirements section.
kubeIP only works on specific node-pool ('default-pool' by default) and the only thing it does is assigning a static external IP to the node, therefore inbound-outbound IP will be the same.
-Vadim
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages