Given a pool of Elastic IPs, provision them to Ingress Controllers

[zapman449]

Basic use case: Some customers require whitelisting IP Addresses in order to access a service. This precludes the ability to leverage ELBs or similar.

Suggested implementation: Admin provides a pre-existing list of EIP Allocations, The controller should then label the nodes which receive these EIPs and then associate the EIPs with those nodes.

Then the admins/developers can target jobs at those labels.

Ideally, several pools of EIPs should be possible, with a unique label per EIP Pool.

[vicenteampliffy]

I've solved temporarily this problem with a kubernetes deployment which should be assigned just to the node you wish to allocate the EIP:

Change the eipalloc-YOURID to the eipalloc (obtain it from the AWS console)
And create a config and secret to store your AWS credentials

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: eip-assign
spec:
  replicas: 1
  template:
        metadata:
          name: eip-assign
          labels:
             service: eip-assign
        spec:
          containers:
          - name: eip-assign
            image: mesosphere/aws-cli:latest
            args:
            - /bin/sh
            - -c
            - "while true; do INSTANCEID=`echo -e 'GET /latest/meta-data/instance-id HTTP/1.1\r\nUser-Agent: curl/7.38.0\r\nHost: 169.254.169.254\r\nAccept: */*\r\n\r\n' | nc 169.254.169.254 80 | tail -1`; aws ec2 associate-address --instance-id $INSTANCEID --allocation-id eipalloc-YOURID; sleep 300; done"
            volumeMounts:
            - name: aws-config
              mountPath: /root/.aws/config
              subPath: config
            - name: aws-credentials
              mountPath: /root/.aws/credentials
              subPath: credentials
          volumes:
          - name: aws-config
            configMap:
              name: eip-config
              items:
              - key: eip-aws-config.conf
                path: config
          - name: aws-credentials
            secret:
              secretName: eip-credentials
              items:
              - key: eip-aws-credentials.conf
                path: credentials
          restartPolicy: Always

[aledbf]

@zapman449 did you check the whitelist example in the nginx ingress controller. It allows you to set the IP or network ranges per Ingress

[blakebarnett]

This looks like it's addressed with the ingress controller whitelisting, please re-open if needed

[muenchdo]

I don't think this is addressed by ingress controller whitelisting. If I understand correctly, @zapman449 wants to associate nodes with EIPs, so customers can whitelist those IPs in their outgoing firewalls to allow a connection to the cluster.

[zapman449]

In AWS the more appropriate solution is to bring the nodes ASG into one or more target groups, and then front the target group with an NLB.

With the above, I believe this issue is moot.