Replies: 2 comments 1 reply
-
If this were GCP or AWS, setting up a NAT gateway would be straightforward. However, with plain Kubernetes in Hetzner, things could get pretty complicated in my opinion. You might consider deploying a NAT gateway pod within the cluster or using a sidecar proxy like Envoy or Squid to manage outbound traffic through a single floating IP. But it's not an easy setup, and since I haven't tried it myself, I can't provide much confidence. In my view, it's probably better to go with an external solution, as that would be simpler to manage. But I must admit I don't have experience with this particular need, so I'm not sure what the exact steps would be. |
Beta Was this translation helpful? Give feedback.
-
Just to be sure: what do you mean by "external solution"? |
Beta Was this translation helpful? Give feedback.
-
Following up on the discussion in issue #67 I'd like to bring up the topic again (but as an discussion, not really an issue).
Having a static IP for egress connections is important in many scenarios.
For example, I'd like to access a Amazon RDS database in my hetzner-k3s cluster. Currently, I'd need to implement site-to-site VPN to AWS (not trivial per-se) or open up the database port to the whole Internet (obviously not a good idea) since I can't tell what public IP address my nodes will use to connect to RDS.
A simple solution, from the security perspective, would be to have a single static IP adress and configure RDS to only allow connections from that IP address.
Suggested solutions so far have been to use a dedicated (Hetzner) VM outside the cluster that acts as a gateway and uses a Hetzner floating IP address. While this would work, it defeats the purpose of a HA cluster. Once that VM goes down or has problems, all connections are gone, possibly making the whole cluster unusable.
So, I'm thinking of a solution where a simple pod inside the cluster is responsible to make a Hetzner floating IP play nice with the hetzner-k3s cluster:
That way, in my optimistic idea, any pod within the cluster just needs to connect to that pod (service) to ultimately reach the RDS database.
I'm lacking low-level knowledge of how Kubernetes works, so unfortunately my solution ends here, but maybe someone can help me out?
My main questions are:
sudo ip addr add 203.0.113.1 dev eth0
I fear this involves messing with iptables. I hope someone can come up with something more robust.
There is a hcloud-ip-floater project that seems promising, but it says it needs MetalLB and as discussed with @vitobotta that is a problem as it can not easily coexist with the Hetzner load balancer. Also, I'm not sure if that project helps with egress traffic.
Any ideas welcome!
Beta Was this translation helpful? Give feedback.
All reactions