Overview
This document describes how to obtain the public IP address of an application in a Container Service for Kubernetes (ACK) cluster.
Details
An application needs to access other cloud services or third-party services, but security policies are configured for the services. In this case, the public IP address of the application must be added to the IP address whitelist. Resolve the issue based on whether the Terway network plug-in is used in the current environment.
With Terway
For a cluster that uses Terway, the IP addresses of cluster pods belong to the Classless Inter-Domain Routing (CIDR) block of the vSwitch in the virtual private cloud (VPC) where the pods reside. In this environment, the IP addresses of pods and Elastic Compute Service (ECS) instances belong to the CIDR block of the same VPC. However, the pods and ECS instances are associated with different vSwitches. The pods and ECS instances communicate with each other by using the VPC or elastic network interfaces (ENIs).
Access cloud services
An application in this cluster needs to access the cloud services in the VPC where the application resides, such as the private domain of an ApsaraDB RDS instance in this VPC. The public IP address of a pod is the IP address of the pod and no source network address translation (SNAT) is performed. In this case, add the CIDR block of the pod to the IP address whitelist of the ApsaraDB RDS instance. The CIDR block of the pod is the CIDR block of the vSwitch that is associated with the pod instead of that of the ECS instance when the cluster is created.
Note: If an ENI is used, the IP address of the ENI is used as the public IP address.
Access third-party services
If a pod needs to access the Internet, SNAT must be enabled for the vSwitch where the pod resides. The public IP address of the pod is the elastic IP address (EIP) that is used for SNAT.
Note: If SNAT is enabled for the vSwitch where a cluster node resides, the cluster node instead of the pod can access the Internet.
Without Terway
Access cloud services
An application in this cluster needs to access the cloud services in the VPC where the application resides, such as the private domain of an ApsaraDB RDS instance in this VPC. The public IP address of a pod is the internal IP address of the ECS instance where the pod resides. If network requests are sent from the pod, SNAT will be performed on the requests when the requests are forwarded to the ECS instance. In this case, add the CIDR block of the ECS instance instead of that of the pod to the IP address whitelist of the ApsaraDB RDS instance.
Access third-party services
Assume that an application in this cluster needs to access the Internet. By default, a NAT gateway performs SNAT to ensure that the cluster can access the Internet. This also ensures that the ECS instance where a cluster pod resides can access the Internet. By default, when a cluster pod needs to access the Internet, the EIP for SNAT is used as the public IP address.
Note: If a node is associated with a public IP address, a pod on the node uses the public IP address of the node to access the Internet. When the route that uses the public IP address of the node and an SNAT-based route are provided, the former takes priority over the latter. If a node is not associated with a public IP address, a pod on the node uses the EIP for SNAT as the public IP address. Whether a pod can access the Internet depends on whether the ECS instance where the pod resides can access the Internet.
Applicable scope
- Dedicated Kubernetes clusters in ACK
- Managed Kubernetes clusters in ACK