K
Q

After GKE master upgrade, outgoing traffic on IPSec tunnel comes from pod IP range instead of node IP range

3/24/2020

A peculiar issue just hit us after upgrading the master on one of our GKE clusters.

We have, in the same network, a bunch of IPSec tunnels set up. Before, the IPs of outgoing requests would be in the 10.164.0.0/16 range - which is the IP range of the nodes.

After the update, all outgoing traffic is suddenly in the 10.56.0.0/14 range, which is the IP range of our pods.

Since several external suppliers have their firewalls set up for specifically 10.164.0.0/16, this is extremely disruptive.

Is there any way to revert this back to using node IPs for outgoing traffic, instead of pod IPs?

-- Gerard
google-kubernetes-engine

Similar Questions

Configuring prometheus to access another cluster that applications deployed
Istio Mesh Federation Locality Aware
letsencrypt cert request failing for AKS ingress
Figuring out the pod resposible for a specific service

1 Answer

3/27/2020

I resolved this thanks to the remark left in the first comment on my question.

It turned out that between 1.14 and 1.15, either the default behaviour of ip-masq-agent changed, or the whole thing was uninstalled.

After installing and configuring ip-masq-agent according to this site - https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent - everything went back to normal.

Specifically, I had to take the default config and omit the one IP range that was problematic on the other end of the IPSec tunnel.

-- Gerard
Source: StackOverflow