ganeshr2
commented
4 years ago we had similar requirements when setting up blockchain fabric network. thumbs up!
Closed bjoernrost closed 3 years ago
ganeshr2
commented
4 years ago we had similar requirements when setting up blockchain fabric network. thumbs up!
bjoernrost
commented
3 years ago Came across this solution guide detailing one of the issues with MASQ that requires outbound traffic to SNAT to a load-balancer IP.
fejta-bot
commented
3 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale
bowei
commented
3 years ago /remove-lifecycle stale
fejta-bot
commented
3 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale
fejta-bot
commented
3 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten
fejta-bot
commented
3 years ago Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-contributor-experience at kubernetes/community. /close
k8s-ci-robot
commented
3 years ago @fejta-bot: Closing this issue.
Hi,
I have a use case around rtp traffic where packets are either received or sent by a k8s pod. Incoming traffic lands on a load-balancer that forwards all ports to a single k8s node. Outbound internet traffic is currently masqueraded. This leads to an asymmetric traffic flow where the in- and outbound IPs are not the same. This is causing issues as asymmetric traffic is not accepted by some SIP trunk providers.
A more general problem statement would be that someone needs a static IP address for outbound traffic from k8s workloads, maybe because they need to set firewalls or whitelists on the other end.
Since we already have an LB that forwards all traffic to the node, a simple fix is to replace the iptables MASQUERADE nat rule with an SNAT rule to the load-balancer's IP. That way, all egress traffic uses the load-balancers IP as the source, and because of the load-balancer, return traffic is still routed to the correct place. This is trivial in the case of a backend with a single node, but a similar pattern can also be used with multiple nodes and multiple LBs.
I wrote and tested a small patch that adds a new optional parameter that can be set to an SNAT ip address.
curious to hear what others are thinking about this approach and if there is interest to include this in the agent.