How to route all outgoing traffic of a Pod in GKE

Question

We have a GKE Autopilot Cluster and an external Address/Cloud NAT set up. For certain Pods we want to ensure that all their outgoing traffic (layer 4) is routed through that external address.

The only possibilities I can think of is to make the whole Cluster private (and thus enforce use of the Cloud NAT) or to use a Service Mesh solution which could perhaps intercept all pakets via ebpf?

Are there other solutions to enforcing a routing to one external Address?

At this point, I'd go with the private cluster + Cloud NAT approach. In general, private clusters are the way to go as a best practice. — Gari Singh, Jul 02 '22 at 09:47

score 1 · Answer 1 · answered Jun 29 '22 at 05:27

1

With the time being, there is no way to do this for the GKE Autopilot Cluster.

But by the end of October, there will likely be an upgrade to the Egress NAT policy that will enable users to setup SNAT based on pod labels, namespaces, and even the destination IP address.

answered Jun 29 '22 at 05:27

Alex G

1,179
3
15

Do you have any link to where this information is coming from? – abergmeier Jun 29 '22 at 13:43
The info in the answer above comes from the Autopilot roadmap. – Gari Singh Jul 02 '22 at 09:46

score 0 · Answer 2 · answered Mar 09 '23 at 15:57

0

You can try the Ip masquerade agent, works for me with standard cluster and NAT with public cluster/nodes.

Ip Masquerade Agent

answered Mar 09 '23 at 15:57

klynaTz

1
1

How to route all outgoing traffic of a Pod in GKE

2 Answers2