K
Q

istio egressgateway: routing through a static IP

8/8/2018

I am trying to route outbound traffic from an application in my GKE cluster through a static IP, as the destination server requires whitelisting IP for access. I have been able to do this using the terraformed nat gateway, but this impacts all traffic from the cluster.

Following the istio guide on the site, I've been able to route traffic through an egressgateway pod (I can see it in the gateway logs), but I need the gateway to have a static ip, and there is no override in the helm values for egressgateway static ip.

How can I assign a static ip to the egressgateway without having to patch anything or hack it after installing istio?

-- Blender Fox
google-kubernetes-engine
istio
kubernetes
routing

Similar Questions

How to connect to a third party VPN from Google Cloud Platform?
How do I push a Docker Image in Virtual Box to Google repository?
How to avoid override the container directory when using pvc in kubernetes?
Does Istio really can't perform filter HTTPS requests based on the destination domains?
Identify nodes of Persistent Volume Claims
Not able to access the vault from container

3 Answers

8/8/2018

I'm also currently facing your problem. I have asked about it via GCP Support, they said currently there is no mechanism to attach certain IP to the Egress Gateway.

So the other solution would be to patch the istio itself. The idea is to make the Istio Egress Gateway pods (see related deployment via kubectl get deployment istio-egressgateway -n istio-system) to be deployed on certain nodes, be it:

  • a dedicated vm with a static ip (you have to extend the mesh by including this vm, which I don't really know how right now)
  • a different GKE Cluster just for istio-egressgateway pods, then connect it to the NAT Gateway and only apply the compute route rule on that gke cluster to nat instance. You have to enable istio on multicluster (see: https://istio.io/docs/examples/multicluster/gke/)

Note: you can always make a different Istio Egress Gateway other than the default one, just for your purpose.

-- Agung Pratama
Source: StackOverflow
8/8/2018

I think of your problem as having three steps. First, to fix the outgoing traffic to a particular pod. The istio egress gateway does this for you. Second and third, to fix the pod to a particular IP address.

If you use GCP's version of floating IP addresses, then you can assign a known IP to one of the hosts in your cluster. Then, use node affinity on the egress-gateway to schedule it to the particular host, https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

I've edited the egress deployment in one of my test clusters, to requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x - key: kubernetes.io/hostname operator: In values: - worker-2720002 to pin it by the hostname label, but you'll probably want to choose and apply a new label to the node when you assign it a floating ip. In my test, the pod is moved to the specified node, and my outgoing egress traffic does too.

-- fraznen
Source: StackOverflow
11/5/2018

This problem can be solved (with considerable effort) by using the new Google NAT as a service tool. However it is a Google-specific service.

-- Blender Fox
Source: StackOverflow