Skip to content

Cluster external networking

Egress - Cluster to the Internet

  • Pods and Nodes have access to the internet over IP unless restricted by a NetworkPolicy.
  • The default MetaKube security group does not restrict any outgoing traffic.

Source IP

Since the Pod network is not internet routable, the packets get masqueraded (SNAT) along the way. Where, depends on if the Node's machine's port has a floating IP associated with it.

  1. Node has an associated floating IP

    The packets' IP gets masqueraded to the Floating IP address.

  2. Node has no floating IP

    The packets get NATed at the network's router.

    You can find out the IP address by looking at the router:

    openstack router show metakube-<cluster id>

    Info

    All packets coming from your cluster will have the same source IP. This may be a problem when the endpoint host enforces any kind of IP based rate limiting, e.g. Docker Hub.

Tip

To find out the source IP from within the cluster, you may use GET ip.syseleven.de.

Ingress - Internet to the Cluster

Note: Not to be confused with the Kubernetes resource Ingress!

  • The default MetaKube security group restricts most inbound flows.
  • The Pod network and the Service network are not internet routable.

External Load Balancer

The most convenient way to expose an application in your cluster to the internet, is through a LoadBalancer Service. MetaKube integrates with the cloud provider to manage external load balancers automatically. For more information, see load balancers.

Node port

A NodePort Service forwards endpoints on a fixed port on each Kubernetes Node.

  • By default, Kubernetes will allocate a port dynamically from the range 30000-32767.
  • You can control what endpoints connections are load balanced to with spec.externalTrafficPolicy. See here for more information.

References