Google cloud -Public GKE cluster’s egress traffic via Cloud NAT for ip whitelisting
In my previous post on GKE outbound traffic , i had discussed on how to reroute the egress traffic from public GKE cluster via compute NAT instances for ip-whitelisting by third party systems. The solution is discussed in detail in the below link.
Google cloud -public GKE cluster egress traffic via static ip addresses for ip whitelisting
In Public GKE cluster —Each node has an ephemeral external IP address and the nodes route all egress traffic through…
In this post we are going to see how we can reroute the GKE egress traffic via cloud NAT.
Masquerading in GKE
We will use a daemon set in GKE , that will rewrite the ip-table rules in the GKE Nodes to masquerade the outbound traffic.
Basically it will prevent SNAT of the pod’s outbound traffic via Node’s external ip address and retain its internal ip address , so the connection will egress out of the cloud NAT gateway’s external ip address.
Using an IP masquerade agent | Kubernetes Engine Documentation
This page explains how IP masquerading works in GKE and the configuration options for IP masquerade agent. IP…
Create a cloud NAT gateway , select the VPC in which you have deployed your public GKE cluster and apply the mapping to all the primary and secondary subnets. Create a new cloud router. For the NAT gateway’s ip address, create it manually so you can reserve it . This will be the ip-address that you will give to your third party vendor for whitelisting your incoming connection.
Create the config map and the daemon-set.
kubectl create configmap ip-masq-agent --from-file config --namespace kube-system