Question
DOKS Egress gateway or guaranteed IP ranges?
- Posted on April 14, 2023
- InfrastructureKubernetesNetworkingDigitalOcean Managed Kubernetes
Asked by Robin Tang
Hey folks,
I have a DOKS cluster set up with multiple node pools and I am trying to figure out the best way to empower my customers to enable IP allowlist for my DOKS cluster.
Context: I have a bunch of workers running within my DOKS cluster that will try to access customer’s databases hosted on AWS, GCP, DigitalOcean, etc…
I would like to give them a set of IPs or CIDR ranges that they can turn on to enable me to access their network.
My current challenges: I have been sent to set up an Egress Gateway via Crossplane with DigitalOcean CRD (https://github.com/digitalocean/container-blueprints/tree/main/DOKS-Egress-Gateway).
This works fine, but I have a couple questions: (1) Does the StaticRoute CRD support multiple gateways with overlapping destinations ranges? (https://github.com/digitalocean/k8s-staticroute-operator) I have submitted an issue to the GitHub repo as well.
(2) Instead of specifying “destinations”, is there a way to specify exclude this destination range? That way, I can exclude DigitalOcean REST APIs and K8 private IPs. It will also save me from having to input 10k+ CIDR blocks (AWS has 7.5k IPv4 CIDR ranges).
I would love to hear if anyone has a better way to achieve my use case and/or have answers for above.
Thanks in advance, Robin.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.
