Kubernetes - External Connection through single IP

networking kubernetes google-cloud-platform google-kubernetes-engine

I need to find a way to have 1 IP that is used by all pods everytime they need to connect to the "outside world".

FULL VERSION:

I'm trying to integrate my application with a Payments Gateway service. However, this service needs to whitelist my servers IP, refusing all other connections for security.

Now, I'm running a GKE (3, actually) cluster with Kubernetes 1.5.2. In this cluster I have around 30 pods and I need 1 in specific to route it's Internet directed traffic through a static, predicatable IP address.

Right now, I have to give a list of my cluster instances external IPs to be whitelisted but this is a problem.

The cluster is setup to autoscale up to 5 instances and also all these instances have an ephemeral IP and 1 - I DON'T want to be forced into turning all these into static IPs. 2 - I also DON'T want to be forced to expose that particular pod through an external endpoint making it available for Internet-to-cluster directed connections.

Is there any way I can say/configure:

- This pod forwards all it's Internet directed connections through X endpoint?
  Obviously, this should be something easy to configure to work with 1 pod
or with all of them I so desired.

What's the correct course of action here? How can I achieve this?

I've referenced this SO question and the Source IP docs on Kubernetes as well as this instructions on how to setup a NAT Gateway (which, given the flexible cluster config, I don't think would work)


The only way that is doable, is a NAT gateway.

I assume you are using a kind of HTTP API (REST API) and that needs TCP. TCP needs to finish a handshake so you need to know which node sent the packets to find the way back. That is why NAT is needed.

The instructions you found about how to setup a NAT Gatway should work. You just need to tell your containers to use the NAT instance as gateway.


This is not possible yet on GCP. Although it is a bit hacky, my recommendation is to setup an http proxy on a non GKE instance with a static IP address. Then when you use the payments gateway, use the http proxy so you are hitting it from the correct IP address.

Make sure the IP address is NOT ephemeral.

Make an image of your proxy VM. If it goes down, you can bring up a node in any zone in the same region to act as the proxy. You can also move the IP address between instances although that will kill current connections so you should make sure your code will retry on failure. Of course, you should always make sure your code will retry on failure.

Related

Apache access log \x80w\x01\x03\x01
Enough memory but OOM killer invoked?
Ethernet Loopback plug - running a ping
Any clever way to put a password in an SSH key?
How to permanently redirect port 8080 URL to port 80 using nginx
Linux qos: tc DRR qdisc does not work
It is fair to jail my SFTP users to their home directory?
UPS with a HP Proliant server
Is there any way for me to run my own instance of a Google Wave server?
Reducing the verbosity of auditd, my minimal rules catch stuff they should not (apparmor)
Selinux - centos - missing /etc/selinux/config
Dynamically setting a new test interval for Nagios checks