3

Is there a way in Kubernetes or there's a network plugin on which we can limit the range of IP allocation. For example, I am trying to use weave and using a subnet 192.168.16.0/24. I want to limit the allocation of IPs through Kubernetes to pods to the range of 192.168.16.10-30.

However, my app might use the rest of the IPs based on requirements i.e. my app can start a virtual IP from 192.168.16.31-50 but I want some mechanism to make sure that the IP range I specified will not be allocated by K8s and my app can consume that.

I need something like this: https://www.weave.works/docs/net/latest/tasks/ipam/configuring-weave/.

Ivan Aracki
  • 4,861
  • 11
  • 59
  • 73
drifter
  • 389
  • 1
  • 5
  • 17
  • 1
    I'm not sure I understand your requirements and why you want to do this. When you create a cluster you can set the IP range from which pods get their IP addresses, e.g. on GKE via `--cluster-ipv4-cidr`. But pretty much everything what is outside of this won't be routed by the Kube proxy afaik. What are you trying to achieve? Can't you work with a service? – yvesonline Feb 10 '20 at 08:37
  • Agree with @yvesonline, you could use a statefulset to have a better control of your pods and use service instead fixed ip in pods. Please provide more details about your application requirements to get help from community. – Mr.KoopaKiller Feb 10 '20 at 13:17
  • Thanks for providing the input. – drifter Feb 10 '20 at 16:35
  • Thanks for providing the input. I am using custom DNS server and PODS can be reached through custom DNS. I have an app which accept connections on virtual IP as it was written that way and that fixes my network identity. I understand statelfull pods as an alternative but it is not helping here as our stateful app has its own connection mechanism through virtual IP and IPs can be failed over to other PODS in no time to other shadow pods where services are UP but not accessible to clients unless the virtual IP failover to that pod. – drifter Feb 10 '20 at 16:57
  • Just for clarify, you want to assign more than one ip address for your pods, or just limit the allocation range? If is the first case, maybe [multus](https://github.com/intel/multus-cni) could help. If regarding ip allocation, see [this](https://www.tigera.io/blog/calico-ipam-explained-and-enhanced/) page from calico docs. – Mr.KoopaKiller Feb 18 '20 at 11:53

2 Answers2

1

Network Policy resource will help

See Documentation

An example NetworkPolicy might look like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

The rule ipBlock describes the network ranges for ingress and egress rules. E.g.:

    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24

CIDR

CIDR stands for Classless Inter-Domain Routing, see samples of IPv4 CIDR blocks

More info

Yasen
  • 4,241
  • 1
  • 16
  • 25
  • Thanks for the info. This will not help as it help in controlling the traffic to POD. However, I am looking mechanism to control the IP allocation to PODS. for example, if I set --cluster-ipv4-cidr=192.168.16.0/24, I need a way to specify the range such as 192.168.16.31-50 which Kubernetes should not allocate to pods. – drifter Feb 10 '20 at 17:01
0

It's a good question actually. It depends on your CNI, in your case when using weavenet.

I am assuming you are using a daemonset for your Weavenet. If so, add something like this on your daemonset yaml file.

        spec:
          containers:
            - name: weave
              command:
                - /home/weave/launch.sh
              env:
                - name: IPALLOC_RANGE
                  value: 192.168.16.32/27

This gives your pods an IP range from 192.168.16.32-63.

You can also setup this with Weave CLI, let me know if you need that.

Hope this is helpful.

BinaryMonster
  • 1,118
  • 7
  • 10
  • Thanks for looking at it. Assume I use this, what would be my net mask for that pod? based on --cluster-ipv4-cidr assuming 192.168.16.0/24 which is 255.255.255.0 or based on IPALLOC_RANGE which is 255.255.255.224? I asked this question because Virtual IPs in general must be on same subnet. If it is 255.255.255.0, I feel then it is going to be very helpful. I am using stateful pods as I need persistent storage. – drifter Feb 10 '20 at 20:01
  • @drifter Not sure, what you mean by 255.255.255.224, but this yaml I pasted here is related to weavenet deployment. But specifying the IPALLOC_RANGE in the weavenet, whatever pods gets created will pick a range of IPs between that range, without interfering with your application IP range. So in general if an application pod is deployed that does helloworld it will pick somewhere between 32-63 without any cidr definitions in your deployment file. – BinaryMonster Feb 11 '20 at 12:34