I have an application running inside in the kubernetes cluster where I am making an API call to an endpoint lets say www.example.com/api which another team maintains, but the request is timing out. I discovered that the IPs needs to be whitelisted in order to make a successful request to that endpoint and we whitelisted the cluster IP . Also at this point, we did not whitelist the node IPs that I got by running kubectl get nodes -o wide . Any pointers will be very helpful.

CodePudding user response：

If you whitelisted the Control plane IP, it's useless, it's not the control plane that perform the API call, but your code running in the Pods.

And the pods run on your nodes. The problem is: if your cluster can scale automatically the number of Node, you don't know in advance the IPs that you will have.

(It's also for that reason that Google says not to trust the network (the IP) but the identity (the authentication that you can provide with your API Call)).

Anyway, one recommended and secure way to secure and solve your issue is to create a cluster with private node (no public IPs) and to add a Cloud NAT to nat the external calls into a static (and owned) Public IP(s).

Because it's YOUR IP(s) you can turst and allow them (no reuse possible by another Google Cloud customer because it reuse an IP in the Google pool, that you used before).

You can find a sample here

CodePudding user response：

Is this api is external system running outside k8s cluster. Or the service running in different namespace?