0

We run K8S cluster in private network behind firewall with nasty reverse NAT rules that prevent our hosts to connect to themselves over public IPs.

Problem

From inside a pod I need to connect to the service that is resolved to public IP 203.X.X.X that is not possible. However I can connect to this service over private IP 192.Y.Y.Y

I can setup iptables rule on the node running pod as follows:

iptables -A OUTPUT -t nat -p tcp -d 203.X.X.X --dport 80 -j DNAT --to-destination 192.Y.Y.Y:80

Then I can successfully connect to the service from node, but not from pod running on this node.

Solution with hostAliases would not work as we:

  • do not know the host names in advance
  • would like to reroute all traffic to known public (unreachable) IPs to the respective private IPs

PS: We use calico as networking plugin

Jakub Kriz
  • 1,501
  • 2
  • 21
  • 29
Anton Andrushchenko
  • 11
  • 1
  • Anton, have you manage to find the issue already? Which exactly k8s you are tunning? Is it some minikube, etc? how did you install it? "From inside a pod I need to connect to the service that is resolved to public IP 203.X.X.X" what is the need for that? could you show svc config (`kubectl get svc -o wide`)? – Nick Jun 25 '20 at 07:58
  • this has been solved by adding same rules to PREROUTING chain – Anton Andrushchenko Dec 23 '20 at 08:43

0 Answers0