This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

DataPlane v2 cilium set static egress IP address for namespace

Posted 2 weeks ago
AdamKrawczyk
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello,

I would like to set a static ip address to some egress traffic coming out from one namespace in GKE standard cluster on DataPlane v2 to some third party managed service(outside cluster).

It's possible to do this? There are no problem with OSS Cilium distribution. 

GKE 1.28

Cilium  1.13.10 (v1.13.10-dfa87aee5d)

 

Solved Solved
3 2 92
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

GKE DPv2 does not support Cilium Egress Gateway (which is what I assume you are referencing above).  We have a feature on the backlog to implement analogous functionality, but we don't yet have a committed plan / date for it.

In the meantime, your best option would be to use Cloud NAT and possibly combine it with Network Policy.   Assuming you only want pods in a specific namespace to be able to access the 3rd party service, you can of course use NetworkPolicy to only allow egress to that service from a specific namespace.
You can then set up a Cloud NAT gateway with 1 or more static IPs and if you want to limit that gateway to only egress to the service, you can use Cloud NAT rules to limit where that gateway can connect to. 

If you have paid support or an account team, you can have them file a feature request on your behalf.   If you don't and/or want to create a public issue, you can enter a request in our public tracker.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

GKE DPv2 does not support Cilium Egress Gateway (which is what I assume you are referencing above).  We have a feature on the backlog to implement analogous functionality, but we don't yet have a committed plan / date for it.

In the meantime, your best option would be to use Cloud NAT and possibly combine it with Network Policy.   Assuming you only want pods in a specific namespace to be able to access the 3rd party service, you can of course use NetworkPolicy to only allow egress to that service from a specific namespace.
You can then set up a Cloud NAT gateway with 1 or more static IPs and if you want to limit that gateway to only egress to the service, you can use Cloud NAT rules to limit where that gateway can connect to. 

If you have paid support or an account team, you can have them file a feature request on your behalf.   If you don't and/or want to create a public issue, you can enter a request in our public tracker.

Jump to Solution

Posted on --/--/---- --:-- AM
AdamKrawczyk
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hey,

thanks for your reply.

That's how it went. I read about CloudNat and thought it only applied to Calico-based clusters. I will be testing today. I'll come back to let you know if it worked.

Thank you!

Jump to Solution
Top Labels in this Space