Hey to everyone!
I have a public GKE cluster and I'm trying configure fixed outbound IP for nodes.
I reserved static IP address and configured Cloud NAT and Cloud Router to this IP on default network and all subnets.
Then I applied ip-masquarade-agent to the cluster
config
nonMasqueradeCIDRs:
- 0.0.0.0/0
masqLinkLocal: true
resyncInterval: 10s
ip-masq-agent.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ip-masq-agent
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: ip-masq-agent
template:
metadata:
labels:
k8s-app: ip-masq-agent
spec:
hostNetwork: true
containers:
- name: ip-masq-agent
image: gcr.io/google-containers/ip-masq-agent-amd64:v2.5.0
args:
- --masq-chain=IP-MASQ
# To non-masquerade reserved IP ranges by default, uncomment the line below.
# - --nomasq-all-reserved-ranges
securityContext:
privileged: true
volumeMounts:
- name: config
mountPath: /etc/config
volumes:
- name: config
configMap:
# Note this ConfigMap must be created in the same namespace as the
# daemon pods - this spec uses kube-system
name: ip-masq-agent
optional: true
items:
# The daemon looks for its config in a YAML file at /etc/config/ip-masq-agent
- key: config
path: ip-masq-agent
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: "CriticalAddonsOnly"
operator: "Exists"
Outbound requests from nodes from default-pool are sent from static IP, masquerading working as expected, but if I create new node pool, requests from its nodes are sent from node external id. Why masquerading not working for new node pools, what can be the problem?
Hi @gcmarvel,
Welcome to Google Cloud Community!
May I know what is the static IP address you have reserved? And also, can you share the details on how you test the masquerading and the output of both the default node pool and the new node pool during testing?
On the other hand here are the possible things to check and consider :
kubectl get pods -n kube-system -o wide | grep ip-masq-agent
If there are no pods running for the new node pool, it might not be configured to use the same ip-masq-agent
. For more reference you may refer to this Configuring an IP masquerade agent documentation.
I hope the above information is helpful!