OpenShift (the kubernetes++ platform from Red Hat) has an outgoing egress NAT proxy that works for some people.
https://docs.openshift.com/container-platform/3.5/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress-router describes what we built. It works on any cloud or on bare metal, but requires 3 difficult things. 1. OpenShift (not just straight kube, so that rules out GKE) 2. the admin to set up a bunch of networking stuff outside of kube/openshift (also might rule out GKE) 3. to need its use to be very limitted. (very few sources and sinks) #1 and #2 you might be able to overcome with some custom hacking on GCE. We definitely have learned a bunch of lessons with this flawed implementation. We know many people want 'per namespace' reliable source addresses. Doing per namespace per dest/port is too limiting. We know people want https to work. I'm sure there are many other things we can point out we didn't do particularly well once/if kube decides to tackle this problem. I think we have more valuable areas to attack right now in kube but if others in the community start working towards a more generic set of egress controls we can certainly find all sorts of new mistakes to make together! -Eric On Mon, May 8, 2017 at 5:39 PM, 'Tim Hockin' via Kubernetes user discussion and Q&A <kubernetes-users@googlegroups.com> wrote: > GKE / Google Cloud in this regard. I can't say for sure what other > clouds offer. > > It should be possible to run an HTTP Proxy or other app-specific > proxy, which can get you a long way towards this. > > On Mon, May 8, 2017 at 12:14 PM, <hwin...@gmail.com> wrote: > > On Friday, 13 January 2017 02:25:20 UTC+1, Tim Hockin wrote: > > > >> Unfortunately that is the only real answer today, as far as I know. > >> We do not have an egress NAT. > > > > HI Tim, do you speak for GKE or fur kubernetes in general? > > > > -- > > You received this message because you are subscribed to the Google > Groups "Kubernetes user discussion and Q&A" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to kubernetes-users+unsubscr...@googlegroups.com. > > To post to this group, send email to kubernetes-users@googlegroups.com. > > Visit this group at https://groups.google.com/group/kubernetes-users. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
