Support Static Egress IP

[moonek]

When the pod communicates with the outside, the Host IP goes to the Source IP. Because of organizational firewall policies, the Static Egress IP of a particular pod or namespace is required.

For example, to connect a specific pod of a particular namespace to an external DB, I must open a firewall between all the worker nodes and the external db. In this case, it is possible to communicate with the external db even in an undesired namespace. Although the egress policy might be the answer, it is basically hard to allow the entire worker node ip firewall to be opened for security reasons.

Below is a reference to the openshift OVS feature. (New Feature) https://blog.openshift.com/how-to-enable-static-egress-ip-in-ocp/ (Legacy Feature) https://blog.openshift.com/accessing-external-services-using-egress-router/

/kind feature

[aleks-mariusz]

would love to see this possibility too.. also have a requirement where we set up a firewall rule for an exception to the normal blocking of http/https outbound traffic.. but running the proxy in the kubernetes cluster requires us to pin what ip the egress traffic originates from (so a matching fw rule can be set up).

[harshitmahapatra]

I am running into a similar issue where an external service only responds to a whitelisted ip, would love to see this feature implemented.

[raoofm]

Is this on the roadmap? If not then is there an alternate way to achieve this? Would love to see this feature.