Directing outbount traffic with egress IPs¶
By default, outbound traffic exits the WoK platform directly from the public IP address of the node where the Pod it is located on lives.
This means that, from an external standpoint, the hosted service can be seen as coming from different IP addresses.
In specific security contexts this behavior can be an issue as the IP adress can not be predicted and it may not be possible to open the whole cluster IP range.
The egressIP is an Openshift mechanism whose purpose is to set a fixed list of IP addresses that a specific pod can use to exit the cluster.
This makes the IP seen by an external server more predictible and more convenient in the aforementioned specific security contexts.
Listing existing egressIPs¶
The egressIPs cannot be listed by regular users on the WoK platform.
However, the following table lists the currently available EgressIPs:
| EgressIP name | Cluster | Scope |
|---|---|---|
ccin2p3-internal |
WoK2, Wok3 |
Accessing restricted CC-IN2P3 internal services |
How to use and egressIP ?¶
Using egressIPs relies on labeling some resources of your project correctly.
-
Request access to the desired
EgressIPfrom your projet by submitting a ticket on our support platform.
Specify which project(s) on which cluster(s) is concerned and the reasons why you need to use an EgressIP. -
A cluster admin will set the proper label on your project if the request is deemed reasonnable.
Additional EgressIPs may be provisioned if necessary. -
Set a specific label on the pods that must use the EgressIP you requested.
In the resource manifest of aDeploymentthis will look like the following yaml bits:
kind: Deployment
apiVersion: apps/v1
metadata:
name: mydeployment
spec:
template:
metadata:
labels:
[...]
wok.in2p3.fr/egress: ccin2p3-internal
spec:
[...]
Tip
Labeling the Deployment resource is unnecessary, only the Pod template within the Deployment is required.
The same logic applies to any other resource that would define a Pod.