K8S outtrafic pod

Hi Guys,

i have a pod that need access to another service which managed under firewall .

currently we don’t have access to the another service because it blocked(by firewall), im trying to figure out which ip the pod use to identity against the another service to open the firewall rule needed.

any idea?

Thanks,
Gidi

You’ll need some sort of explicit egress Gateway. This is not something Kubernetes has by default right now.

If this is completely different machine, your pod will probably come from the external IP of the node it is running in. If you can’t find out, you can run some image with curl and find out your external ip from some whatismyip site.

Hi @acim ,
Thanks for your response, we have tried to open any any in firewall with source of our worker machines, with out successes.
Can you please give me more information about the curl what should I do?
Thanks

@thockin Hi thockin ,
thanks for you response, isnt the pod should use the external IP of the host it is running on?

Is there some firewall protecting your Kubernetes cluster? Is it in some cloud or?
Do you have network policies?

Actually my K8S is not protected under fire wall

What errors do you see from your pod? What is the output of “kubectl logs” and “kubectl describe pod”?

Run this to find out your public IP:

kubectl run -ti --rm --restart Never --image curlimages/curl – curl http://whatismyip.akamai.com

i run:
kubectl exec -ti bash
then in the terminal i ran
curl http://whatismyip.akamai.com/

this is the respond: 194.31.58.5

is that the ip i have too look for?

Of course, allow this IP to access your external service and check your logs on both sides.

Take care that each node probably has it’s own external IP. You can maybe get all of them using this command:

kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'

If this is not set, you have to find out all IP’s by running some curl pod on each node. You may need to use node selector.

1 Like

@acim
i havent found any external ip :frowning:
should i run the curl from the pod in each node, or on the node?

Thanks

Well, if this pod is runing as part of a deployment, than you should get external IP’s of all worker nodes and whitelist them on the external firewall. If you run a single pod always on the same node, then this one IP should be enough.