Search code examples
kubernetesnetwork-programmingflannel

Forwarding all Kubernetes traffic through a single node


I have a Kubernetes cluster with multiple nodes in two different subnets (x and y). I have an IPsec VPN tunnel setup between my x subnet and an external network. Now my problem is that the pods that get scheduled in the nodes on the y subnet can't send requests to the external network because they're in nodes not covered by the VPN tunnel. Creating another VPN to cover the y subnet isn't possible right now. Is there a way in k8s to force all pods' traffic to go through a single source? Or any clean solution even if outside of k8s?


Solution

  • Posting this as a community wiki, feel free to edit and expand.


    There is no built-in functionality in kubernetes that can do it. However there are two available options which can help to achieve the required setup:

    1. Istio

    If services are well known then it's possible to use istio egress gateway. We are interested in this use case:

    Another use case is a cluster where the application nodes don’t have public IPs, so the in-mesh services that run on them cannot access the Internet. Defining an egress gateway, directing all the egress traffic through it, and allocating public IPs to the egress gateway nodes allows the application nodes to access external services in a controlled way.

    1. Antrea egress

    There's another solution which can be used - antrea egress. Use cases are:

    You may be interested in using this capability if any of the following apply:

    • A consistent IP address is desired when specific Pods connect to services outside of the cluster, for source tracing in audit logs, or for filtering by source IP in external firewall, etc.

    • You want to force outgoing external connections to leave the cluster via certain Nodes, for security controls, or due to network topology restrictions.