How to configure IP masquerade agent in GKE Standard clusters

Google Cloud Tech · Beginner ·☁️ DevOps & Cloud ·2y ago

Key Takeaways

Configuring IP masquerade agent in GKE Standard clusters for network traffic management

Full Transcript

foreign [Music] to another by modifying either the source or destination address information in the IP header IPS grading is a form of nat that is typically used to perform many to one address translation via multiple Source IP addresses are masked behind a single IP address this helps improve security and decreases the number of IB addresses your organization needs in this video you will learn how ipmashgrading Works in Google kubernetes engine what components are involved in configuring it how to configure it in a gke standard cluster and finally how to troubleshoot and resolve a common issue with ipmask grading let's get started inside a GK cluster pods usually have private IP addresses from RSC 1918 ranges which are not routable on the public internet so when a pod sends Network traffic to a destination on the public internet IPS grading is used to change the source IP address of packets sent from the part to the underlying notes IP address this is also useful when a recipient is configured to receive packets only from the Clusters node IP addresses on Linux nodes GK configures iptable rules to perform IP mask reading GK uses the ipmask agent which runs as a demon set in your cluster to configure the appropriate data plane the ipmask agent configures iptable rules in a node to handle the mask reading of pod IP addresses when sending traffic to other nodes or destinations outside the cluster this essentially hides pod IP addresses behind the cluster node's IP address this will be helpful especially in scenario where it is expected that traffic to external addresses must come from known machine addresses the two main components involved in configuring IP mask reading in gke are the ipmask agent demon set which is responsible for configuring the necessary iptable rules to perform Source address translation in the Linux kernel and uses the ipmask agent config map the ipmask agent config map enables you to specify a range of destination IP addresses for which the Parts Source IP address is preserved when packets are sent out alright let's take a look at the steps involved in configuring ipmask grading NGK Step 1 check if the IP mask agent demands it and config map are present in your cluster if not use the below link to create these resources Step 2 create and update the ipmask agent config map here is a sample ipmask agent config map for reference by default every outbound connection undergoes IP mask reading except the default non-masquerade cidrs for example if you want to preserve a pod's IP address then you must Define a list of destination IB addresses in cidr format under the non-masquerade cidr option when packets are sent to these destinations your cluster does not masquerade The Source IP address and thereby press of pod IP addresses all other destinations that are not part of non-masquerade cidrs list undergo Source address translation let's dive into a demo and learn how to troubleshoot and resolve a common issue that can be seen if IP mask reading is not configured correctly consider the following scenario a client part running inside a GK cluster with connectivity to on-prem using Cloud VPN there is an application running on on-prem with the IP address 10.151.0.2 which needs to be accessed from the client part the on-prem application is configured such that it accepts connections only from the powered IP addresses let's now make an HTTP request from the client to the on-prem application oops it's not working this is because the pods IP address is mass graded behind the node's IP address to fix this issue you must disable ipmask reading of powered IP address when the destination is on-prem application check if the IP mask agent is running inside the cluster by running the following command this indicates the ipmask agent is running inside the cluster as a demon said check the IP mask kitchen config map from the GK console select the option secrets and config map unselect the option is system object false search for IP mask agent resources select it click on the edit button under the non-masquerade cidr block add the Range 10.151.0.2 32 to prevent IP Mass grading for any traffic going to the on-prem application save the changes let's try make the HTTP request from the client to the on-prem success the connectivity between the Pod and the on-prem application is now working successfully for more details about ibmask rating in gke check out the following documents thanks for watching the video [Music]

Original Description

Do you want to get a quick understanding of how IP masquerading works? Are you looking for information about how to configure an IP masquerading in the GKE Standard cluster? In this video, we introduce you to IP Masquerading, the key components involved, and explain how IP Masquerading works in Google Kubernetes Engine. We discuss how to configure IP masquerade agent in GKE standard clusters. Watch along and learn how to troubleshoot and resolve a common issue with IP masquerading when configured with on prem. Stay tuned and watch until the end! Chapters 0:00 - Intro 0:07 - NAT & IP masquerading 0:55 - IP masquerading in GKE 1:30 - IP masq agent and its components 2:30 - Configure IP masquerading in GKE 2:50 - Sample ip-masq-agent config map 3:32 - Demo: Troubleshoot and resolve misconfigured IP masquerading on prem 5:38 - Further reading About IP masquerade agent → https://goo.gle/3QcKhOK Install ip-masq-agent Daemon set and config map → https://goo.gle/43Nr5dE Configuring an IP masquerade agent in Standard clusters → https://goo.gle/3DwUkqu Subscribe to Google Cloud Tech → https://goo.gle/GoogleCloudTech
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Google Cloud Tech · Google Cloud Tech · 38 of 60

1 I’m going for it #GoogleCloudCertified
I’m going for it #GoogleCloudCertified
Google Cloud Tech
2 I had to get #GoogleCloudCertified
I had to get #GoogleCloudCertified
Google Cloud Tech
3 Be better overall at what you do #GoogleCloudCertified
Be better overall at what you do #GoogleCloudCertified
Google Cloud Tech
4 Cloud Monitoring on our radar #Analysis #Uptime
Cloud Monitoring on our radar #Analysis #Uptime
Google Cloud Tech
5 Introduction to Generative AI Studio
Introduction to Generative AI Studio
Google Cloud Tech
6 How to use Github Actions with Google's Workload Identity Federation
How to use Github Actions with Google's Workload Identity Federation
Google Cloud Tech
7 Introduction to Responsible AI
Introduction to Responsible AI
Google Cloud Tech
8 Networking updates and CDMC-certified architecture
Networking updates and CDMC-certified architecture
Google Cloud Tech
9 Create and use a Cloud Storage bucket
Create and use a Cloud Storage bucket
Google Cloud Tech
10 How to digitize text from documents
How to digitize text from documents
Google Cloud Tech
11 Faster analytical queries with AlloyDB
Faster analytical queries with AlloyDB
Google Cloud Tech
12 Next ‘23 sessions and FaaS Wave
Next ‘23 sessions and FaaS Wave
Google Cloud Tech
13 Introduction to Assured Open Source Software
Introduction to Assured Open Source Software
Google Cloud Tech
14 BigQuery Cost Optimization: Storage
BigQuery Cost Optimization: Storage
Google Cloud Tech
15 BigQuery Cost Optimization: Compute
BigQuery Cost Optimization: Compute
Google Cloud Tech
16 BigQuery Cost Optimization: Select Queries
BigQuery Cost Optimization: Select Queries
Google Cloud Tech
17 Remote Field Equipment Management with Manufacturing Data Engine
Remote Field Equipment Management with Manufacturing Data Engine
Google Cloud Tech
18 Supercharging your applications with Cloud SQL Enterprise Plus
Supercharging your applications with Cloud SQL Enterprise Plus
Google Cloud Tech
19 Vector Support on our radar #GenAI
Vector Support on our radar #GenAI
Google Cloud Tech
20 Architecting a blockchain startup with Google Cloud
Architecting a blockchain startup with Google Cloud
Google Cloud Tech
21 Kubernetes and multitasking updates!
Kubernetes and multitasking updates!
Google Cloud Tech
22 GKE: Using Kubernetes Events
GKE: Using Kubernetes Events
Google Cloud Tech
23 How to configure firewall rules for Cloud Composer
How to configure firewall rules for Cloud Composer
Google Cloud Tech
24 Vertex AI Embeddings API + Matching Engine: Grounding LLMs made easy
Vertex AI Embeddings API + Matching Engine: Grounding LLMs made easy
Google Cloud Tech
25 Geospatial analytics on our radar #EarthEngine #BigQuery
Geospatial analytics on our radar #EarthEngine #BigQuery
Google Cloud Tech
26 Ensuring requests are set in Kubernetes
Ensuring requests are set in Kubernetes
Google Cloud Tech
27 Cloud Next 2023, Google research program, and more!
Cloud Next 2023, Google research program, and more!
Google Cloud Tech
28 How to migrate projects between organizations with Resource Manager
How to migrate projects between organizations with Resource Manager
Google Cloud Tech
29 How to run #MySQL in Google Cloud
How to run #MySQL in Google Cloud
Google Cloud Tech
30 #GenerativeAI for enterprises and #Next2023
#GenerativeAI for enterprises and #Next2023
Google Cloud Tech
31 How Google Photos scales to store 4 trillion photos and videos
How Google Photos scales to store 4 trillion photos and videos
Google Cloud Tech
32 Google Cross-Cloud Interconnect (Demo 2)
Google Cross-Cloud Interconnect (Demo 2)
Google Cloud Tech
33 GKE Cost Optimization Golden Signals: Introduction
GKE Cost Optimization Golden Signals: Introduction
Google Cloud Tech
34 GKE Cost Optimization Golden Signals: Workload Rightsizing
GKE Cost Optimization Golden Signals: Workload Rightsizing
Google Cloud Tech
35 GKE Load Balancing: Overview
GKE Load Balancing: Overview
Google Cloud Tech
36 GKE Load Balancing: Best Practices
GKE Load Balancing: Best Practices
Google Cloud Tech
37 Disaster Recovery in GKE
Disaster Recovery in GKE
Google Cloud Tech
How to configure IP masquerade agent in GKE Standard clusters
How to configure IP masquerade agent in GKE Standard clusters
Google Cloud Tech
39 Enable and use GKE Control plane logs
Enable and use GKE Control plane logs
Google Cloud Tech
40 Compliance in Australia with Assured Workloads
Compliance in Australia with Assured Workloads
Google Cloud Tech
41 Creating budgets and budget alerts in Google Cloud #FinOps
Creating budgets and budget alerts in Google Cloud #FinOps
Google Cloud Tech
42 Cloud SQL Enterprise Plus on our radar #mySQL
Cloud SQL Enterprise Plus on our radar #mySQL
Google Cloud Tech
43 What's Next for Google Cloud?
What's Next for Google Cloud?
Google Cloud Tech
44 How Loveholidays scaled with Contact Center AI
How Loveholidays scaled with Contact Center AI
Google Cloud Tech
45 What is fleet team management in GKE?
What is fleet team management in GKE?
Google Cloud Tech
46 Troubleshoot VPC Network Peering
Troubleshoot VPC Network Peering
Google Cloud Tech
47 Introduction to DocAI and Contact Center AI
Introduction to DocAI and Contact Center AI
Google Cloud Tech
48 Cloud Run Direct VPC egress explained
Cloud Run Direct VPC egress explained
Google Cloud Tech
49 Database deployment options in GKE
Database deployment options in GKE
Google Cloud Tech
50 Analyze cloud billing data with #BigQuery
Analyze cloud billing data with #BigQuery
Google Cloud Tech
51 Tips to becoming a world-class Prompt Engineer
Tips to becoming a world-class Prompt Engineer
Google Cloud Tech
52 Serverless is simple. Do I need CI/CD?
Serverless is simple. Do I need CI/CD?
Google Cloud Tech
53 Accelerating model deployment with MLOps
Accelerating model deployment with MLOps
Google Cloud Tech
54 How Hawaii's Department of Human Services scaled with CCAI
How Hawaii's Department of Human Services scaled with CCAI
Google Cloud Tech
55 Pricing API on our #Radar
Pricing API on our #Radar
Google Cloud Tech
56 How Recommendations AI for Media can boost customer retention
How Recommendations AI for Media can boost customer retention
Google Cloud Tech
57 Troubleshooting: Node Not Ready Status
Troubleshooting: Node Not Ready Status
Google Cloud Tech
58 One weekend until Cloud Next 2023!
One weekend until Cloud Next 2023!
Google Cloud Tech
59 #GoogleCloudNext starts tomorrow!
#GoogleCloudNext starts tomorrow!
Google Cloud Tech
60 #GoogleCloudNext will be demand!
#GoogleCloudNext will be demand!
Google Cloud Tech

Related Reads

Chapters (8)

Intro
0:07 NAT & IP masquerading
0:55 IP masquerading in GKE
1:30 IP masq agent and its components
2:30 Configure IP masquerading in GKE
2:50 Sample ip-masq-agent config map
3:32 Demo: Troubleshoot and resolve misconfigured IP masquerading on prem
5:38 Further reading
Up next
Containers on Amazon ECS with Mama J
AWS Developers
Watch →