Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

Configure ip-masquarade-agent for new node pools

Hey to everyone!

I have a public GKE cluster and I'm trying configure fixed outbound IP for nodes. 

I reserved static IP address and configured Cloud NAT and Cloud Router to this IP on default network and all subnets. 

Then I applied ip-masquarade-agent to the cluster

 

 

config

nonMasqueradeCIDRs:
  - 0.0.0.0/0
masqLinkLocal: true
resyncInterval: 10s

 

 

ip-masq-agent.yaml

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ip-masq-agent
  namespace: kube-system
spec:
  selector:
    matchLabels:
      k8s-app: ip-masq-agent
  template:
    metadata:
      labels:
        k8s-app: ip-masq-agent
    spec:
      hostNetwork: true
      containers:
      - name: ip-masq-agent
        image: gcr.io/google-containers/ip-masq-agent-amd64:v2.5.0
        args:
            - --masq-chain=IP-MASQ
            # To non-masquerade reserved IP ranges by default, uncomment the line below.
            # - --nomasq-all-reserved-ranges
        securityContext:
          privileged: true
        volumeMounts:
          - name: config
            mountPath: /etc/config
      volumes:
        - name: config
          configMap:
            # Note this ConfigMap must be created in the same namespace as the
            # daemon pods - this spec uses kube-system
            name: ip-masq-agent
            optional: true
            items:
              # The daemon looks for its config in a YAML file at /etc/config/ip-masq-agent
              - key: config
                path: ip-masq-agent
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - effect: NoExecute
        operator: Exists
      - key: "CriticalAddonsOnly"
        operator: "Exists"

 

 

Outbound requests from nodes from default-pool are sent from static IP, masquerading working as expected, but if I create new node pool, requests from its nodes are sent from node external id. Why masquerading not working for new node pools, what can be the problem?  

0 1 514
1 REPLY 1

Hi @gcmarvel,

Welcome to Google Cloud Community!

May I know what is the static IP address you have reserved? And also, can you share the details on how you test the masquerading and the output of both the default node pool and the new node pool during testing? 

On the other hand here are the possible things to check and consider :

  • Check if masquerading is configured correctly in your new node pools. Since your default-pool is functioning as expected, the issue might be with how the masquerading is applied to the new node pool. Run the command below to verify:

 

kubectl get pods -n kube-system -o wide | grep ip-masq-agent

 

If there are no pods running for the new node pool, it might not be configured to use the same ip-masq-agent. For more reference you may refer to this Configuring an IP masquerade agent documentation.

I hope the above information is helpful!

Top Labels in this Space