Static Egress
The static egress feature allows your Pods to have a static, predictable outgoing IP address. This IP address can then be used in remote systems to allow/deny traffic emitted from the selected Pods.
Details
By default, Pods running in NKE clusters will use the IP address of the node they are running on as source IP when initiating connections to external (out of cluster) systems. As the IP addresses of nodes can change and also because Pods can be scheduled onto different nodes, restricting traffic from Pods at external systems is very hard. The only possibility so far was to allow traffic from all NKE subnets which are in use.
The static egress feature overcomes this limitation. It allows Pods, which have a specific label set, to use a static egress IP. All egress traffic made by these Pods will be routed via one node in the NKE cluster and be emitted with a static source IP. All other Pods (which don't have the specific label set) in the cluster will continue to use the IP of the node they are running on for egressing traffic. This way, traffic from specific Pods in the cluster can be allowed/denied on external systems (firewalls, etc).
If the node which was selected for the static egress traffic is getting replaced during our maintenance window, a new node will be automatically selected and static egress traffic will be routed over the new node. Only nodes from the "nine node pool" will be selected for static egress traffic.
Availability
The static egress feature is currently available for the following products:
- NKE clusters
- vClusters
- Deploio applications
Usage
The configuration of the static egress feature differs slightly, depending on the product in use.
NKE clusters
To enable the feature on NKE clusters, you will first need to enable the static egress runtime on the NKE cluster itself. The runtime will select the egressing node from the "nine" node pool and prepare all network configurations. Please find the corresponding commands for enabling the runtime below. Enabling the runtime is a requirement for static egress to work in NKE clusters.
Enabling the Static Egress Runtime
- Kubectl
- Cockpit
-
Make sure that you have
kubectl
andnctl
installed. -
Authenticate with our API using
nctl
:nctl auth login
-
List all your clusters to find your desired NKE cluster.
nctl get clusters -A
-
Once you found the name of your NKE cluster you can use
kubectl
with the nineapis.ch context to enable the runtime:kubectl --context=nineapis.ch patch kubernetescluster <NAME OF NKE CLUSTER> -n <PROJECT OF CLUSTER> \
--type=merge -p '{"spec":{"forProvider":{"nke":{"staticEgress":{"enabled":true}}}}}'
Support in Cockpit is still in development. Documentation will be added soon.
Create a Static Egress Resource
After the runtime got enabled, a static egress resource which targets your cluster can be created. This will result in the automatic creation of a static egress IP and a corresponding Pod label. You can then add this label to all the Pods which should make use of the static egress IP.
- Kubectl
- Cockpit
-
Make sure that you followed the API authentication steps from above and have
kubectl
andnctl
installed. -
List all your clusters.
nctl get clusters -A
-
Create the following static egress resource definition in a
static-egress.yaml
file and make sure to replace the content of the placeholders with your corresponding values.apiVersion: networking.nine.ch/v1alpha1
kind: StaticEgress
metadata:
name: my-static-egress
namespace: <REPLACE WITH PROJECT OF CLUSTER>
spec:
forProvider:
disabled: false
target:
group: infrastructure.nine.ch
kind: KubernetesCluster
name: <REPLACE WITH NAME OF CLUSTER> -
Use
nctl
to apply the file to the API.nctl apply -f static-egress.yaml
-
After a few seconds an IP address and a Pod label should be selected.
$> kubectl --context nineapis.ch get staticegress my-static-egress -n <NAME OF PROJECT> -o yaml
...
status:
atProvider:
address: <SELECTED EGRESS IP>
selectionLabel:
name: networking.nine.ch/static-egress
value: <VALUE OF POD LABEL>
Support in Cockpit is still in development. Documentation will be added soon.
Assigning the Static Egress Label to Pods
Lets assume the static egress configuration selected the label
networking.nine.ch/static-egress: production-egress
for static egress pod
selection. If you already have a Kubernetes Deployment called "production" which
deploys your production application, you can attach the label to all running
pods of that Deployment by:
- creating a file
label-patch.yaml
with the following content:
spec:
template:
metadata:
labels:
networking.nine.ch/static-egress: production-egress
- and patching your Kubernetes Deployment "production":
kubectl patch deploy production --patch-file=label-patch.yaml
This will rollout new pods which will all have the special static egress label attached. All egressing traffic of those Pods will now make use of the static egress IP.
If you remove the label again, the pods will be using the default node IPs instead.
vClusters
The usage of static egress for vClusters is very similar to the NKE cluster one. The only difference is that you do not need to enable the static egress runtime (as the runtime gets automatically enabled). You can just create static egress resources and attach the selected Kubernetes label to your Pods as described in the example.
Deploio applications
The static-egress configuration for Deploio applications is very easy. Just create a static egress resource and your Deploio application will use the selected IP for egress communication.
Create a Static Egress Resource
- Kubectl
- Cockpit
-
Make sure that you have
kubectl
andnctl
installed. -
Authenticate with the API using
nctl
:nctl auth login
-
List all your Deploio applications.
nctl get apps -A
-
Create the following static egress resource definition in a
deploio-static-egress.yaml
file and make sure to replace the content of the placeholders with your corresponding values.apiVersion: networking.nine.ch/v1alpha1
kind: StaticEgress
metadata:
name: my-deploio-static-egress
namespace: <REPLACE WITH PROJECT OF APPLICATION>
spec:
forProvider:
disabled: false
target:
group: apps.nine.ch
kind: Application
name: <REPLACE WITH NAME OF APPLICATION> -
Use
nctl
to apply the file to the API.nctl apply -f deploio-static-egress.yaml
-
After a few seconds an IP address should be selected and your Deploio application will use it automatically for egress traffic (no further configuration required).
$> kubectl --context nineapis.ch get staticegress my-deploio-static-egress -n <NAME OF PROJECT> -o yaml
...
status:
atProvider:
address: <SELECTED EGRESS IP>
Support in Cockpit is still in development. Documentation will be added soon.
Disable a Static Egress Resource
You can temporarily disable a static egress resource. Contrary to the deletion of a static egress resource, this will not delete the automatically selected egress IP address which can be reused after you activated the static egress again.
- Kubectl
- Cockpit
-
Make sure that you have
kubectl
andnctl
installed. -
Authenticate with the API using
nctl
:nctl auth login
-
List all your static egress resources to select the one which you want to temporarily disable.
nctl get all --kinds staticegress -A
-
Patch the static egress resource with
kubectl
.kubectl --context=nineapis.ch patch staticegress <NAME OF RESOURCE> -n <PROJECT OF RESOURCE> \
--type=merge -p '{"spec":{"forProvider":{"disabled":true}}}'
Support in Cockpit is still in development. Documentation will be added soon.
Remove a Static Egress Resource
If you want to remove the static egress feature again, you can just delete the corresponding static egress resource from the API. This will also delete the automatically selected egress IP address.
- Kubectl
- Cockpit
-
Make sure that you have
kubectl
andnctl
installed. -
Authenticate with the API using
nctl
:nctl auth login
-
List all your static egress resources to select the one which you want to delete.
nctl get all --kinds staticegress -A
-
Delete the static egress resource with
kubectl
.kubectl --context nineapis.ch delete staticegress <NAME OF RESOURCE> -n <PROJECT OF RESOURCE>
Support in Cockpit is still in development. Documentation will be added soon.