Question

Is it possible to have a static outgoing ip in kubernetes

Some external services need to whitelist ip addresses to allow incoming requests. I need to consume a web service with this requirement within my application running as a K8S workload.

Is there any way in DigitalOcean kubernetes implementation to meet this need, i.e. to have requests coming from an http client running into a pod to use a fixed ip address for all requests?

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

This is becoming quite urgent as of now; I will try hacking up a solution by using https://github.com/mwthink/digitalocean-floating-ip-controller, InitControllers and https://github.com/nirmata/kube-static-egress-ip, but it looks like a long road to take. As of now, DO’s Kubernetes is unusable for anything involving sending/receiving e-mail and communicating to third parties with IP address whitelisting.

It is urgent also for us. We have a couple of k8s clusters in DO. A faw days ago we facing with the issue related to blacklisted a few IP addresses from DO: https://www.spamhaus.org/sbl/listings/digitalocean.com. So in order to upgrade the K8S cluster you might get the new compromised IP address (!). Where is no rollback of the upgrade operation for getting the old IP addresses. So after the new cluster is rolled out, you might be really surprised…

Any well known K8S cluster don’t have that limitation wg. AKS, GKE, EKS.

So our workaround at the moment is not upgrading the clusters :(.

We currently do not have any service in which to control/monitor kubernetes egress traffic nor do we have a guaranteed IP range of a cluster that can be whitelisted. However you do have options to implement this.

First option would be to manually whitelist the specific nodes ip and update them when new nodes are added/removed or current nodes recycled. I would not recommend this but it could work for testing/development

The second option would be to setup and configure an external proxy service. Then, set the proxy variables in your DOKS deployments to use the configured proxy. After that is configured you only need to whitelist the proxy IP to allow your DOKS services through.

You can control egress traffic being denied/accepted within the cluster using networkpolicy objects, or by installing istio. The documentation for those can be found here: https://kubernetes.io/docs/concepts/services-networking/network-policies/ https://istio.io/docs/