Question

DOKS Egress gateway or guaranteed IP ranges?

Hey folks,

I have a DOKS cluster set up with multiple node pools and I am trying to figure out the best way to empower my customers to enable IP allowlist for my DOKS cluster.

Context: I have a bunch of workers running within my DOKS cluster that will try to access customer’s databases hosted on AWS, GCP, DigitalOcean, etc…

I would like to give them a set of IPs or CIDR ranges that they can turn on to enable me to access their network.

My current challenges: I have been sent to set up an Egress Gateway via Crossplane with DigitalOcean CRD (https://github.com/digitalocean/container-blueprints/tree/main/DOKS-Egress-Gateway).

This works fine, but I have a couple questions: (1) Does the StaticRoute CRD support multiple gateways with overlapping destinations ranges? (https://github.com/digitalocean/k8s-staticroute-operator) I have submitted an issue to the GitHub repo as well.

(2) Instead of specifying “destinations”, is there a way to specify exclude this destination range? That way, I can exclude DigitalOcean REST APIs and K8 private IPs. It will also save me from having to input 10k+ CIDR blocks (AWS has 7.5k IPv4 CIDR ranges).

I would love to hear if anyone has a better way to achieve my use case and/or have answers for above.

Thanks in advance, Robin.

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up