Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Given a pool of Elastic IPs, provision them to Ingress Controllers #71

Closed
zapman449 opened this issue Jul 6, 2016 · 5 comments
Closed
Milestone

Comments

@zapman449
Copy link

Basic use case: Some customers require whitelisting IP Addresses in order to access a service. This precludes the ability to leverage ELBs or similar.

Suggested implementation: Admin provides a pre-existing list of EIP Allocations, The controller should then label the nodes which receive these EIPs and then associate the EIPs with those nodes.

Then the admins/developers can target jobs at those labels.

Ideally, several pools of EIPs should be possible, with a unique label per EIP Pool.

@justinsb justinsb modified the milestone: 1.3.2 Aug 15, 2016
@justinsb justinsb modified the milestones: 1.4.5, 1.5.0, 1.5.1 Dec 28, 2016
@vicenteampliffy
Copy link

vicenteampliffy commented Jan 5, 2017

I've solved temporarily this problem with a kubernetes deployment which should be assigned just to the node you wish to allocate the EIP:

Change the eipalloc-YOURID to the eipalloc (obtain it from the AWS console)
And create a config and secret to store your AWS credentials

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: eip-assign
spec:
  replicas: 1
  template:
        metadata:
          name: eip-assign
          labels:
             service: eip-assign
        spec:
          containers:
          - name: eip-assign
            image: mesosphere/aws-cli:latest
            args:
            - /bin/sh
            - -c
            - "while true; do INSTANCEID=`echo -e 'GET /latest/meta-data/instance-id HTTP/1.1\r\nUser-Agent: curl/7.38.0\r\nHost: 169.254.169.254\r\nAccept: */*\r\n\r\n' | nc 169.254.169.254 80 | tail -1`; aws ec2 associate-address --instance-id $INSTANCEID --allocation-id eipalloc-YOURID; sleep 300; done"
            volumeMounts:
            - name: aws-config
              mountPath: /root/.aws/config
              subPath: config
            - name: aws-credentials
              mountPath: /root/.aws/credentials
              subPath: credentials
          volumes:
          - name: aws-config
            configMap:
              name: eip-config
              items:
              - key: eip-aws-config.conf
                path: config
          - name: aws-credentials
            secret:
              secretName: eip-credentials
              items:
              - key: eip-aws-credentials.conf
                path: credentials
          restartPolicy: Always

@aledbf
Copy link
Member

aledbf commented Jan 5, 2017

@zapman449 did you check the whitelist example in the nginx ingress controller. It allows you to set the IP or network ranges per Ingress

@blakebarnett
Copy link

This looks like it's addressed with the ingress controller whitelisting, please re-open if needed

@muenchdo
Copy link

I don't think this is addressed by ingress controller whitelisting. If I understand correctly, @zapman449 wants to associate nodes with EIPs, so customers can whitelist those IPs in their outgoing firewalls to allow a connection to the cluster.

@zapman449
Copy link
Author

In AWS the more appropriate solution is to bring the nodes ASG into one or more target groups, and then front the target group with an NLB.

With the above, I believe this issue is moot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants