External networking

Egress - Cluster to the Internet

  • Pods, if not restricted through a NetworkPolicy, and nodes have access to the internet over IP.
  • The default MetaKube security group does not restrict outgoing traffic.

Source IP

Since the Pod network is not internet routable, the packets get masqueraded (SNAT) along the way.
Where, depends on if the node's machine's port has a floating IP associated with it.

  1. Node has an associated floating IP

    The packets get NATed at the Floating IP.

  2. Node has no floating IP

    The packets get NATed at the network's router's public interface.

    You can find out the IP by looking at the router:

    openstack router show metakube-<cluster id>

    All packets coming from your cluster have the same source IP.
    This may be a problem when the endpoint host enforces any kind of IP based rate limiting, e.g. Docker Hub.

To find out the source IP from within the cluster, you may use GET ip.syseleven.de .

Ingress - Internet to the Cluster

Note: Don't confuse with the Kubernetes resource Ingress!

  • The default MetaKube security group restricts most incoming traffic.
  • The Pod network or the Service network are not internet routable.

External Load Balancer

The most convenient way to expose an application in your cluster to the internet, is through a LoadBalancer Service.
MetaKube integrates with the cloud provider to manage external load balancers automatically.
For more information, see load balancers.

Node port

A NodePort Service forwards endpoints on a fixed port on each Kubernetes Node.

  • By default, Kubernetes will allocate a port dynamically from the range 30000-32767.
  • You can control, what endpoints connections are load balanced to, with spec.externalTrafficPolicy.

With externalTrafficPolicy: Cluster (default) packets are masqueraded at the node.
The source IP may be the internal node IP, or the IP of the CNI bridge interface (if the endpoint is on the same node).