Configure ip-masquarade-agent for new node pools

gcmarvel · September 27, 2024, 8:04am

Hey to everyone!

I have a public GKE cluster and I’m trying configure fixed outbound IP for nodes.

I reserved static IP address and configured Cloud NAT and Cloud Router to this IP on default network and all subnets.

Then I applied ip-masquarade-agent to the cluster

config

nonMasqueradeCIDRs:
  - 0.0.0.0/0
masqLinkLocal: true
resyncInterval: 10s

ip-masq-agent.yaml

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ip-masq-agent
  namespace: kube-system
spec:
  selector:
    matchLabels:
      k8s-app: ip-masq-agent
  template:
    metadata:
      labels:
        k8s-app: ip-masq-agent
    spec:
      hostNetwork: true
      containers:
      - name: ip-masq-agent
        image: gcr.io/google-containers/ip-masq-agent-amd64:v2.5.0
        args:
            - --masq-chain=IP-MASQ
            # To non-masquerade reserved IP ranges by default, uncomment the line below.
            # - --nomasq-all-reserved-ranges
        securityContext:
          privileged: true
        volumeMounts:
          - name: config
            mountPath: /etc/config
      volumes:
        - name: config
          configMap:
            # Note this ConfigMap must be created in the same namespace as the
            # daemon pods - this spec uses kube-system
            name: ip-masq-agent
            optional: true
            items:
              # The daemon looks for its config in a YAML file at /etc/config/ip-masq-agent
              - key: config
                path: ip-masq-agent
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - effect: NoExecute
        operator: Exists
      - key: "CriticalAddonsOnly"
        operator: "Exists"

Outbound requests from nodes from default-pool are sent from static IP, masquerading working as expected, but if I create new node pool, requests from its nodes are sent from node external id. Why masquerading not working for new node pools, what can be the problem?

almirajean · October 2, 2024, 8:37pm

Hi @gcmarvel ,

Welcome to Google Cloud Community!

May I know what is the static IP address you have reserved? And also, can you share the details on how you test the masquerading and the output of both the default node pool and the new node pool during testing?

On the other hand here are the possible things to check and consider :

Check if masquerading is configured correctly in your new node pools. Since your default-pool is functioning as expected, the issue might be with how the masquerading is applied to the new node pool. Run the command below to verify:

kubectl get pods -n kube-system -o wide | grep ip-masq-agent

If there are no pods running for the new node pool, it might not be configured to use the same ip-masq-agent. For more reference you may refer to this Configuring an IP masquerade agent documentation.

I hope the above information is helpful!

Topic		Replies	Views
NAT Pod IP to Node IP on GKE GCP or alternative solutions? Serverless Applications gke	1	27	April 23, 2023
create a new nodepool with a dedicated cloud nat Serverless Applications gke	2	23	December 27, 2023
Connecting to external IP from GKE pod Serverless Applications gke	5	28	February 3, 2023

Configure ip-masquarade-agent for new node pools

AI Suggested topics