I'm facing a networking challenge in our Kubernetes setup and could use some help. We have a specific requirement for a group of our pods regarding egress traffic. We need to ensure that when these pods send outbound traffic, they maintain the original source port—so no SNAT port rewriting. Additionally, we want all of these pods to use a consistent egress IP address, no matter which nodes they're running on. We've been exploring the Cilium Egress Gateway, but we're struggling to guarantee a static egress IP across multiple nodes, and it seems to change the source port, which we need to preserve. If anyone has experience with this type of setup or knows of any strategies or examples to achieve both a static egress IP and preserved source ports, your advice would be greatly appreciated!
3 Answers
You might want to take a look at netgraph for this. It can help with network management in Kubernetes, particularly if you are looking for a more complex solution. Not sure about the details of your infrastructure though, so it could be worth exploring further!
If you're looking for a solution, you might want to check out Istio's Egress Gateway. It seems to fit your needs perfectly by keeping the original source IP intact while serving outbound traffic. Their documentation has some solid examples to get you started!
I think the reason you're needing this is due to a legacy external system your workloads need to connect to, right? It sounds like that system demands the original source IP and port from the client, making things tricky. Have you considered setting up a proxy server? That could handle the original values before the traffic reaches the external service.
Yes, exactly! We're stuck with their validation rules, so it must match the original source IP and port. A proxy might be a workaround, but I'd love to know if there’s a way to do this directly in Kubernetes.
Thanks for the suggestion! I've heard of Istio but also saw that Cilium has its own form of an Egress Gateway. Have you had a chance to compare the two?