Get a static outgoing IP on GKE
3,856 views
Skip to first unread message
mario...@gmail.com
Jan 12, 2017, 5:47:42 PM1/12/17
to Kubernetes user discussion and Q&A
Hi, we have to access some resource that uses an IP whitelist (plus authentication and SSL) in real time.
So we need that outgoing traffic from our K8s cluster always has the same IP. This way we add this IP to the whitelist and we can access the resources.
I found tons of information about how to set up incoming traffic but almost nothing for outgoing.
The only thing I found was to set a Compute Engine instance (that seems like it can contain a static outgoing IP) to route traffic through but, is it going to become a single point of failure.
Any ideas?
Tim Hockin
Jan 12, 2017, 8:25:20 PM1/12/17
to kubernet...@googlegroups.com
Unfortunately that is the only real answer today, as far as I know.
We do not have an egress NAT.
> --
> You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
> To post to this group, send email to kubernet...@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
We do not have an egress NAT.
> You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
> To post to this group, send email to kubernet...@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
mario...@gmail.com
Jan 13, 2017, 4:39:59 AM1/13/17
to Kubernetes user discussion and Q&A
Thank you for confirming. I understand the complexity involved on K8s development but I was hoping for a good fix.
Thank you again
wiktor....@gmail.com
Jan 17, 2017, 5:35:10 PM1/17/17
to Kubernetes user discussion and Q&A, mario...@gmail.com
Hi Mario,
I've been using a VM instance with a static external IP to solve the same problem (access an external resource from a whitelisted IP) and it's been working fine for 3 months now. I do see occasional restarts of my job though.
HTH
Wiktor
hwi...@gmail.com
May 8, 2017, 3:14:19 PM5/8/17
to Kubernetes user discussion and Q&A
On Friday, 13 January 2017 02:25:20 UTC+1, Tim Hockin wrote:
> Unfortunately that is the only real answer today, as far as I know.
> We do not have an egress NAT.
HI Tim, do you speak for GKE or fur kubernetes in general?
Tim Hockin
May 8, 2017, 5:40:20 PM5/8/17
to kubernet...@googlegroups.com
GKE / Google Cloud in this regard. I can't say for sure what other
clouds offer.
It should be possible to run an HTTP Proxy or other app-specific
proxy, which can get you a long way towards this.
clouds offer.
It should be possible to run an HTTP Proxy or other app-specific
proxy, which can get you a long way towards this.
Paris, Eric
May 8, 2017, 10:47:42 PM5/8/17
to kubernet...@googlegroups.com
OpenShift (the kubernetes++ platform from Red Hat) has an outgoing egress NAT proxy that works for some people.
describes what we built. It works on any cloud or on bare metal, but requires 3 difficult things.
1. OpenShift (not just straight kube, so that rules out GKE)
2. the admin to set up a bunch of networking stuff outside of kube/openshift (also might rule out GKE)
3. to need its use to be very limitted. (very few sources and sinks)
#1 and #2 you might be able to overcome with some custom hacking on GCE.
We definitely have learned a bunch of lessons with this flawed implementation. We know many people want 'per namespace' reliable source addresses. Doing per namespace per dest/port is too limiting. We know people want https to work. I'm sure there are many other things we can point out we didn't do particularly well once/if kube decides to tackle this problem.
I think we have more valuable areas to attack right now in kube but if others in the community start working towards a more generic set of egress controls we can certainly find all sorts of new mistakes to make together!
-Eric
On Mon, May 8, 2017 at 5:39 PM, 'Tim Hockin' via Kubernetes user discussion and Q&A <kubernet...@googlegroups.com> wrote:
GKE / Google Cloud in this regard. I can't say for sure what other
clouds offer.
It should be possible to run an HTTP Proxy or other app-specific
proxy, which can get you a long way towards this.
On Mon, May 8, 2017 at 12:14 PM, <hwi...@gmail.com> wrote:
> On Friday, 13 January 2017 02:25:20 UTC+1, Tim Hockin wrote:
>
>> Unfortunately that is the only real answer today, as far as I know.
>> We do not have an egress NAT.
>
> HI Tim, do you speak for GKE or fur kubernetes in general?
>
> --
> You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
> To post to this group, send email to kubernetes-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages