How can I get Egress Static IP per namespace within a EKS cluster

Solution 1:

Summary from the discussion on this topic for more visibility here:

There is a feature request created in GitHub, but no updates since March.

Calico Enterprise would solve for this specific use case by assigning an IP to the namespace as described in their integration for Kubernetes here:

Egress Gateway defines a static egress IP for SNAT on traffic leaving the cluster and applies it to a specific namespace. Then it designates one pod in a namespace as the egress pod and assigns a routable IP which is used specifically for egress traffic leaving the cluster.

But in practice, Egress gateway pod is not AWS VPS aware, hence it cannot assign EIPs to Egress pods. When the traffic exits out of gateway pods it assumes the IP of the Node itself as the source IP.

many different EKS nodes in private subnets...

EIP does not work in private subnet. If you have worker nodes designated in public subnet, you can use EIP and reverse proxy on these public accessible nodes to expose services in private network. You can then use Calico Egress Gateway on these public nodes for the reverse proxy pods in turn use the underlying EIP.