-
Notifications
You must be signed in to change notification settings - Fork 748
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
eks with secondary network for pods #3072
Comments
No, there is not a way to mask the pod ip to the main ip (or node ip) of internal resources in the same VPC. If you use the hostnetworking pod, then the ip of the pod is the same as the node's primary ip. |
do we not have the possibility to create a function for this? |
Do you mean, create a new flag to have an Internal SNAT? I am not sure how that will work with the property of hostnetwork pods. |
in GCP and azure there is this way of performing this configuration https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent |
@davirezendegb - can you raise this feature request containers-roadmap. It needs to be evaluated and prioritized as a product requirement for CNI. |
Hi this is a blocker for us too, we want to use a seperate subnet for pods whilst maintaining routing for nodes via internalsnat This was very difficult to debug as the documentation was lacking. This is also a feature GCP has documented well for GKE (via ipmasqagent) - its surprising to not see this in EKS. |
Following the documentation, we end up in the following scenario.
https://aws.github.io/aws-eks-best-practices/networking/custom-networking/
The pod receives the IPs from the secondary subnet and to try to access resources outside the VPC, the main IP of the node in the main network is used, but for resources in the same VPC it tries to use the secondary IP that the pod receives. Is there a way to mask the pod IP to the main IP for internal resources in the same VPC?
pod ip: 100.127.35.58
node ip: 192.168.1.44
when trying to access an RDS resource in the same vpc the pod uses the ip 100.127.35.58
to access a resource outside the vpc a masking is done so that the pod uses the node ip 192.168.1.44
We would like this masking to also be done for internal resources in the same VPC
The text was updated successfully, but these errors were encountered: