0

We have a pod which is trying to reach an IP (192.168.xx.xx) which is out side the kubernetes cluster. IP its trying to reach is the the Internal IP of an external entity which can be reached normally only using the external IP (10.110.xx.xx).
We have defined the routes (using iptables) on worker/master nodes to redirect the Internal IP to External one. This redirect works fine on worker/master host level but kubernetes pod does not use these. Is there a way to implement this on pod level as well or make pod use the routes from host? (i know using a hostnetwork in pod is an option but unfortunately we cant use it)
iptables are updated like below,

iptables -t nat -A OUTPUT -p tcp -d 192.168.xx.xx -j DNAT --to-destination 10.110.xx.xx
iptables -t nat -A OUTPUT -p tcp -d 192.168.xx.xx --dport 10550 -j DNAT --to-destination 10.110.xx.xx:10550
Reddysekhar Gaduputi
  • 400
  • 3
  • 22
  • What if you do it on `PREROUTING` chain? – reith Jun 01 '21 at 10:29
  • `iptables -t nat -A PREROUTING -p tcp -d 192.168.xx.xx -j DNAT --to-destination 10.110.xx.xx` – reith Jun 01 '21 at 10:30
  • it might be that since container traffic has gone to another (virtual) interface, on node level `output` rules won't apply to them, but I'm not sure about that.. – reith Jun 01 '21 at 10:36

1 Answers1

0

The answer is probably "yes but it's really complicated". This would depend deeply on your CNI plugin and how it works. There's no single standard for how pod networks are allocated or configured. You could probably do it via a privileged init container? But if your break your CNI, you get to keep all the pieces.

coderanger
  • 52,400
  • 4
  • 52
  • 75