aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Engineering
  • Solutions
  • Tools

IP Masquerading And EBPF Are Now In GKE Autopilot

  • aster_cloud
  • July 13, 2022
  • 4 minute read

So you’re deploying Kubernetes and you’ve been ready-to-go with your containerized applications. But one problem you’ve faced is IP exhaustion across your diverse environments and your clusters need to talk to your on-prem clusters or hosts. Or maybe your workloads talk to a service that expects only RFC 1918 addresses for regulatory or compliance reasons.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

You can now translate your pod IPs to your node IPs on GKE Autopilot clusters with the latest networking features that are generally available:

  • Our Egress NAT policy with IP masquerading for pod to node IP translation is now GA for GKE Autopilot, and
  • Our advanced programmable datapath based on eBPF, Dataplane V2 (DPv2), with support for Network Policy & Logging is also now GA for GKE Autopilot.

Egress NAT Policy for GKE Autopilot

Egress NAT policy allows you to masquerade your pod IPs to the node IP addresses, enabling pods (typically in a separate network island) to communicate outside the cluster using the IP address of a node as the source IP. Some of our users have used special IPs (non-RFC 1918 addresses) for their pod ranges to expand their IP usage by leveraging Reserved or Class E IP space. A few use cases for wanting to masquerade the pod IPs to those of the nodes is for communication back to on-premise workloads for security or compliance reasons, or just for compatibility reasons. Previously, users were not able to configure IP masquerading due to managed namespace restrictions in GKE Autopilot. With the Egress NAT policy custom resource definition (CRD), we’ve enabled a user-facing API to allow you to configure IP masquerading on GKE Autopilot clusters.

Read More  Richer Data Visualization On Google Maps Platform Using deck.gl

“We use GKE Autopilot because of its reduced operational overhead and potential cost reductions. The addition of IP masquerading via Egress NAT policy expands our use of Autopilot to include accessing on-premises data and systems.” —Joey Brown, Engineering Manager at American Family Insurance.

Our long-term goal is to have the same API and feature set across GKE and Anthos platforms. We have extended Egress NAT policy in Anthos to provide NAT functionality based on K8s resources like namespaces and/or labels. This new Egress NAT policy on GKE Autopilot clusters provides source NAT controls to start. With this launch, we’re taking the initial step in achieving the first milestone on our roadmap.

Cloud Composer 2, a Google managed workflow orchestration service built on Apache Airflow, uses GKE Autopilot under the hood. Cloud Composer 2 users also benefit from the introduction of Egress NAT policies to enable communication to various environments.

“We are a big Cloud Composer user as part of our GCP journey. We have dealt with IP shortages by using non-RFC 1918 address space for our GKE clusters. With Egress NAT policy, we can now use IP masquerading with Cloud Composer 2. Workloads using non-RFC 1918 addressing with Cloud Composer 2 are now able to make API calls to our wider Equifax applications. We are excited about using Egress NAT policies with Cloud Composer 2 to enable more of our applications on GCP.”– Siddharth Shekhar, Site Reliability Engineer – Specialist at Equifax.

Egress NAT policy is now generally available on GKE Autopilot clusters with DPv2 in versions 1.22.7-gke.1500+ or 1.23.4-gke.1600+. For configuration examples of Egress NAT policy, please refer to our how-to guide in the GKE documentation.

Read More  An Innovation Imperative: Oracle Extends Cloud ERP Lead With New Automations And Insights

GKE Autopilot with Dataplane V2 (DPv2)

Have you been wanting to segregate your cluster workloads and understand when your Network Policies are enforced? GKE Autopilot now uses Dataplane V2 (DPv2) for container networking, a datapath integrated into Google infrastructure based on eBPF. With this advanced dataplane, you, as a GKE Autopilot user, can now take advantage of features like Network Policy and Network Policy Logging.

With DPv2 support, GKE Autopilot clusters can now benefit from the advantages that GKE standard clusters currently have with DPv2:

  • Security via Kubernetes Network Policy
  • Scalability by removing iptables and kube-proxy implementations
  • Operational benefits with Network Policy Logging
  • Consistency with Anthos and GKE environments.

Network Policy Logging enables security teams to audit logs and understand allowed or denied traffic flows based on existing Network Policies. It can be configured as an object on your GKE cluster and filtered per various parameters. The following is an example of a logged entry retrieved after an attempted access that was denied.

jsonPayload:
  connection:
    dest_ip: 10.67.0.10
    dest_port: 8080
    direction: ingress
    protocol: tcp
    src_ip: 10.67.0.28
    src_port: 46988
  count: 2
  dest:
    namespace: default
    pod_name: hello-web
    pod_namespace: default
  disposition: deny
  node_name: gk3-autopilot-cluster-1-nap-4lime7d7-dba77360-8td5
  src:
    namespace: default
    pod_name: test-1
    pod_namespace: default
logName: projects/PROJECT/logs/policy-action
receiveTimestamp: '2022-04-19T22:07:03.658959451Z'
resource:
  labels:
    cluster_name: autopilot-cluster-1
    location: us-west1
    node_name: gk3-autopilot-cluster-1-nap-4lime7d7-dba77360-8td5
    project_id: PROJECT
  type: k8s_node
timestamp: '2022-04-19T22:06:56.139253838Z'

Network Policy Logs are automatically uploaded to Cloud Logging and can also be retrieved via the Cloud Console Log Explorer. Network Policy metrics are also enabled with Dataplane v2 such that policy event metrics can be monitored even when Network Policy Logging is not enabled.

Read More  A Policy Roadmap For 24/7 Carbon-Free Energy

GKE Autopilot uses DPv2 for all newly created clusters starting in GKE versions 1.22.7-gke.1500+ or 1.23.4-gke.1600+. For more information about Dataplane V2, check out our GKE Dataplane V2 docs.

Getting started with GKE Autopilot with DPv2 is as easy as entering the following gcloud command:

gcloud container clusters create-auto CLUSTER_NAME \
    --region REGION \
    --project=PROJECT_ID

 

To learn more about GKE Autopilot, check out our Overview page.

 

By: Cynthia Thomas (Google Cloud Product Team)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster_cloud

Related Topics
  • GKE Autopilot
  • Google Cloud
  • Google Kubernetes Engine
  • Kubernetes
You May Also Like
Microsoft and Adobe
View Post
  • Platforms
  • Solutions

Microsoft And Adobe Partner To Deliver Cost Savings And Business Benefits

  • September 20, 2023
Penguin
View Post
  • Engineering

How To Find And Fix Broken Packages On Linux

  • September 19, 2023
View Post
  • Design
  • Engineering

4 Ways To Improve Long Term Kubernetes Capacity And Cloud Costs In Kubernetes

  • September 9, 2023
View Post
  • Engineering
  • Platforms
  • Research
  • Technology

Fast-Tracking Fusion Energy’s Arrival With AI And Accessibility

  • September 6, 2023
View Post
  • Cloud-Native
  • Computing
  • Engineering
  • Platforms

Farewell EC2-Classic, It’s Been Swell

  • September 4, 2023
Street Fighter Rockman
View Post
  • Platforms
  • Solutions

CAPCOM And Google Cloud Team Up To Strengthen The Reliability Of Live Service Game Launches For Millions Of Players Globally

  • August 28, 2023
Emission
View Post
  • Solutions
  • Technology

Microsoft And Accenture Partner To Tackle Methane Emissions With AI Technology

  • August 27, 2023
Automation
View Post
  • Automation
  • Platforms
  • Tools

Automate Your Data Warehouse Migration To BigQuery With New Data Migration Tool

  • August 24, 2023

Stay Connected!
LATEST
  • 1
    Combining AI With A Trusted Data Approach On IBM Power To Fuel Business Outcomes
    • September 21, 2023
  • 2
    Start Your Ubuntu Confidential VM With Intel® TDX On Google Cloud
    • September 20, 2023
  • Microsoft and Adobe 3
    Microsoft And Adobe Partner To Deliver Cost Savings And Business Benefits
    • September 20, 2023
  • 4
    Huawei Connect 2023: Accelerating Intelligence For Shared Success
    • September 20, 2023
  • 5
    Huawei Releases Data Center 2030, Leading Innovation and Development of New Data Centers
    • September 20, 2023
  • Penguin 6
    How To Find And Fix Broken Packages On Linux
    • September 19, 2023
  • Volkswagen 7
    Volkswagen Races Toward Next-Gen Automotive Manufacturing Leadership With Google Cloud And T-Systems
    • September 19, 2023
  • 8
    VMware Scales Multi-Cloud Security With Workforce Identity Federation
    • September 18, 2023
  • Intel Innovation 9
    Intel Innovation 2023
    • September 15, 2023
  • Private 10
    A Comeback For Private Clouds
    • September 14, 2023
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • 1
    Microsoft And Oracle Expand Partnership To Deliver Oracle Database Services On Oracle Cloud Infrastructure In Microsoft Azure
    • September 14, 2023
  • 2
    Real-Time Ubuntu Is Now Available In AWS Marketplace
    • September 12, 2023
  • 3
    IBM Brings Watsonx To ESPN Fantasy Football With New Waiver Grades And Trade Grades
    • September 13, 2023
  • 4
    NASA Shares Unidentified Anomalous Phenomena Independent Study Report
    • September 14, 2023
  • 5
    Introducing OpenAI Dublin
    • September 14, 2023
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.