✓ Solved

Can I have a single "egress" IP from all pods in my K8s cluster on Linode?


for our system we need a cluster where we run a few pods spread out normally over 3 nodes.
All of these pods need to access external systems (like databases, queues, etc.) which are secured behind firewalls and only allow access from specific IP addresses.

Now, my question is this: is there a way, with a Linode cluster, to make sure that all my components in the pods present themselves to these external services with a single IP address? Of course the cluster could auto-scale, potentially dynamically adding or removing nodes as time goes by, and of course I need that IP address to remain the same regardless of which node a specific pod is scheduled on.

Just as an additional information, this is something that is standard when starting a k8s cluster on Amazon Aws through NAT gateways (all pods present the NAT gateway IP address when accessing external systems).

Thank you,

4 Replies

✓ Best Answer

My teammate pointed out the focus "egress" in your title, which I missed. They suggested the possibility of creating a script to update your backend allowlist policies that uses Linode API to return the IPs of new Nodes after they are recycled.

I also found this post on our Community Site that suggests the possibility of using a node external to the cluster and setting up NGINX as a proxy.

It doesn't sound like we have exactly what you're looking for at the moment, but you should be able to limit the external IP address of your cluster using a NodeBalancer. Here are a few resources to explain more about that:

As that linked Community Site Post mentions, you may want to look into setting up NGINX Ingress as well. From our guide:

In Kubernetes, an Ingress is an API object that manages the routing of external requests to one of the many possible internal services in a Kubernetes cluster. In the majority of cases, the Ingress will rely on an external Load Balancer to accept initial traffic before being routed.

An Ingress is one of the most powerful ways to control external access to your resources, granting the ability to add multiple services under the same IP address, and use plugins like cert-manager to assist with the management of SSL/TLS certificates.

To avoid the NodeBalancer being recycled and changing IPs, you can read through this Community Site post which provides an annotation that may help.

Finally, since you intend to secure traffic in some way, I wanted to make sure you've seen our firewall information for LKE which shows certain ports and ranges that need to be allowed for the cluster to reach the Control Plane.

Thank you for the suggestion about using Nginx as a reverse proxy - we'll take a look at that and see if it can work for us.


Hello [@marcozul] (/community/user/marcozul) were you able to solve this issue , i am facing a similar problem


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct