public-cloud-roadmap icon indicating copy to clipboard operation
public-cloud-roadmap copied to clipboard

Published 20 hours ago verified publisher icon ovh

Fixed outgoing IP addresses for managed kubernetes service

Open qualifio-infrastructure opened this issue 3 years ago • 10 comments

As a managed kubernetes user, I want to be able to set static outgoing IP addresses for my entire cluster. Whitelisting and asking clients to whitelist nodes IP is not always a viable solution, especially now with autoscaling scenarios where new nodes can pop "at any time".

qualifio-infrastructure avatar May 12 '21 11:05 qualifio-infrastructure

This is a must have ! A lot of people are asking for that, and to be able to add PTR too.

EDIT: PTR is possible in the IP list on the OVH account, just be sure the A name has been added in the domain to the IP before adding the reverse dns.

Tronix117 avatar Jun 24 '21 17:06 Tronix117

I would also like to have an ability to set the IP address that will be assigned to a given node. With dynamic node address allocation we are unable to filter traffic inside vRack.

slawomir-sikora avatar Jun 29 '21 09:06 slawomir-sikora

Same here

tanandy avatar Jun 29 '21 09:06 tanandy

Use cases :

  • Whitelisting IP => necessary for security and restrictions, some services are requiring IPs of the server, which can not be done here
  • Mail sending => absolutely mandatory to be able to manage reputation on a unique IP, OVH smtp relay is mostly considered as spam, and there is a need here to be able to maintain a correct IP reputation to send mails

I can see two things here:

  • Cool: Adding the ability to default the outgoing traffic on each instance to an attached IP, that can be easily migrated to another instance
  • Awesome; Having the ability to route (sort of egress) some containers through specific outgoing IPs (like we can do on other cloud providers)

Right now it's possible to mimic that, but it's not practical:

  1. Adding a failoverIP to the instance
  2. Adding the IP in the node label on the instance it's associated to
  3. Using as DaemonSet an elevated start container to re-configure the netplan at machine start
  4. Using the IP with containers with hostNetwork = true (<- major security issue, but... only way to do right now)

Tronix117 avatar Jun 29 '21 10:06 Tronix117

Any news on this? This egress feature is a must for us as we are dealing with some third-parties which whitelist IPs. @mhurtrel I ping you directly on this, sorry for that, but I guess you will have more information as K8S PM.

Thanks!

jeremylvln avatar Jul 26 '21 13:07 jeremylvln

Hi I understand the need and confirm we will look into a managed solution for this but have no ETA to share yep

mhurtrel avatar Jul 26 '21 14:07 mhurtrel

Note that for vRack-enabled clusters, this feature will allow to cover most use cases (but will require your to maintain a gateway) : https://github.com/ovh/public-cloud-roadmap/issues/116

mhurtrel avatar Oct 26 '21 07:10 mhurtrel

Hi OVH,

Any news about this feature ?

btbenjamin avatar Mar 14 '22 08:03 btbenjamin

Hi @btbenjamin This will be covered after : https://github.com/ovh/public-cloud-roadmap/issues/116 , that we plan to have in the next 2 months

mhurtrel avatar Mar 16 '22 15:03 mhurtrel

NB : The issue #116 is now available. This allows you to cover this use case if your use private networks/vrack.

mhurtrel avatar Jun 21 '22 14:06 mhurtrel

Closing this one as MKS is now supporting Default private network gateway (https://github.com/ovh/public-cloud-roadmap/issues/116) that can be used in addition to the OVHcloud Managed Gateway (https://www.ovhcloud.com/fr/public-cloud/gateway/)

antonin-a avatar Dec 27 '23 13:12 antonin-a