Having set up a kubernetes cluster with calico for the one-ip-per-pod networking, I'm wondering what the best practise is to expose services to the outside world.
IMHO I got two options here, BGP'ing the internal pod IP's (172...) to an edge router/firewall (vyos in my case) and do an SNAT on the firewall / router. But then I'd need one public IP per pod to expose.
Pro: less public IP's need to be used Con: Pod changes need updated firwall rules?!
Or 2nd: Taking the provided public network and hand it over to calico as an IP pool to be used for the pods. Con: lots of public IP's wasted for internal services which won't get exposed to the internet
Hope someone could enlighten me or point me in the right direction.
Thanks!
Calico is not responsible for the k8s service IP management or for translating service ip to container (workload endpoint) It allocates IP addressses to the newly created pods and does necessary system config changes to implement the calico policies
Calico doesn't provide any special way to expose services in Kubernetes. You should use standard Kubernetes services, node ports and the like to expose your services. In the future, there's a possibility that Calico will offer some of the features that kube-proxy currently does for Kubernetes (such as exposing service IPs) but right now, Calico fits in at the low-level networking API layer only. Calico's real strength in the Kubernetes integration is the ability to define network security policy using the new Kubernetes NetworkPolicy API.
Source: I'm one of Calico's core developers.