Question

Is it possible to have a static outgoing ip in kubernetes

Posted February 5, 2020 2.8k views
Kubernetes

Some external services need to whitelist ip addresses to allow incoming requests. I need to consume a web service with this requirement within my application running as a K8S workload.

Is there any way in DigitalOcean kubernetes implementation to meet this need, i.e. to have requests coming from an http client running into a pod to use a fixed ip address for all requests?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

We currently do not have any service in which to control/monitor kubernetes egress traffic nor do we have a guaranteed IP range of a cluster that can be whitelisted. However you do have options to implement this.

First option would be to manually whitelist the specific nodes ip and update them when new nodes are added/removed or current nodes recycled. I would not recommend this but it could work for testing/development

The second option would be to setup and configure an external proxy service. Then, set the proxy variables in your DOKS deployments to use the configured proxy. After that is configured you only need to whitelist the proxy IP to allow your DOKS services through.

You can control egress traffic being denied/accepted within the cluster using networkpolicy objects, or by installing istio. The documentation for those can be found here:
https://kubernetes.io/docs/concepts/services-networking/network-policies/
https://istio.io/docs/

  • Is something like this on the roadmap? I bumped into this with an external database that needed an IP CIDR to access it. I took a look at the links here but didn’t understand what to do. Any thoughts?

    • It is something the team would like to do and we have a ticket on the backlog to address this but developer cycles have not been allocated for it.

      If this is a managed database on DO you can simply use our tags feature to add this cluster to the list of trusted sources.

      Otherwise, if I were to attempt this today, I would write a script that queries the DOKS API to retrieve the node IP addresses from /api/v1/nodes via a simple curl call. Having this run as a cron would keep the current nodes updated.

      For example this call would get you all the externalIp’s of your nodes:

      > kubectl get nodes  -o jsonpath='{.items[*].status.addresses[?(@.type == "ExternalIP")].address}'
      178.163....
      

      Hope this helps!

Submit an Answer