英文:
GCP - Gke standalone, how to masquerade 10.0.0/8 cidr
问题
我们在Kubernetes中使用GKE,并且使用了10.0.0.0/8的CIDR范围来分配所有私有IP,这个范围与我们的本地网络和AWS网络共享。
我们的Pod和服务IP来自K8集群的非RFS 240.0.120.0/24的CIDR范围。现在出现了问题,当我们尝试连接到GCP或AWS资源时,无法连接,需要进行伪装。
然而,伪装文档表示,如果目标IP来自CIDR 10.0.0.0/8,则不会进行伪装。
我正在参考的链接:
- https://github.com/kubernetes-sigs/ip-masq-agent#agent-flags
- https://cloud.google.com/kubernetes-engine/docs/concepts/ip-masquerade-agent
- https://cloud.google.com/kubernetes-engine/docs/concepts/ip-masquerade-agent#default-non-masq-dests
我感到困惑该怎么办,ConfigMap中没有添加masqueradeCIDRs的部分,它只有一个用于添加nonMasqueradeCIDRs的部分。
英文:
We are using GKE in kubernatees, and we are using 10.0.0.0/8 cidr range for all our private ips which is shared with our on-prem and AWS network as well.
out pods and service ip from K8 cluster is from non rfs 240.0.120.0/24 cidr range. Now this is the issue, when we try to connect any GCP or AWS resource it's not able to connect and needs masquerading.
However, masquerading document says it's wont' masquerade if destination IP is from cidr 10.0.0.0/8
**links I am referring too **
- https://github.com/kubernetes-sigs/ip-masq-agent#agent-flags
- https://cloud.google.com/kubernetes-engine/docs/concepts/ip-masquerade-agent
- https://cloud.google.com/kubernetes-engine/docs/concepts/ip-masquerade-agent#default-non-masq-dests
I am confuse what to do, there is not section in ConfigMap to add masqueradeCIDRs, it only has a section to add nonMasqueradeCIDRs
答案1
得分: 2
ConfigMap 中的 ConfigMao 用于列出不希望伪装的 CIDR。如果未指定 ConfigMap,则默认情况下在非伪装列表中包括 10.0.0.0/8
。
您需要按照创建 ConfigMap 上的文档,至少将用于您的 pods/services(以 240. 开头的范围)添加到非伪装列表中。确保 10.0.0.0/8
不在 ConfigMap 中。
英文:
The ConfigMao for ip-masq lists the CIDRs for which you do not want to masquerade. If you don't specify a ConfigMap, then the default includes 10.0.0.0/8
in the non-masquerade list.
You'll need to follow the docs on creating the ConfigMap and you'll need to minimally add the ranges you use for your pods/services (the 240.) to the non-masquerade list. You want to make sure the 10.0.0.0/8
is NOT in the ConfigMap.
答案2
得分: 1
你可以尝试启用IP伪装。首先,确定您的GKE集群所在的网络。然后,在该网络中确定与您的GKE集群关联的子网。使用下面的命令在子网上启用IP伪装。确保将[SUBNET_NAME]替换为您的GKE集群子网的名称。
英文:
You can try enabling IP masquerade. First you identify the network where your GKE cluster is running. Then identify the subnet associated with your GKE cluster within that network. Enable IP masquerading on the subnet using the command below. Make sure to replace [SUBNET_NAME] with the name of your GKE cluster's subnet.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论