GCloud K8s Pod-to-Pod Routing












1















Currently, I'm running a Kubernetes cluster on GCloud K8s Engine.



Now I'm running an OpenVPN Server on there to create a network where multiple clients can talk together in a client-to-client fashion.
If I'm using just a single VPN server it also already works. The client can connect to the K8s Pod and communicate with other clients or even the server itself.



However now I want to make that a little bit more available and want to have at least two servers which means I create another VPN network, which is relatively simple, by using the same configuration I used in server1 (I just need to adjust the Subnet).



But the tricky part is how can I make it happen that both pods can correctly route the networks?



i.e. I have the VPN networks 172.40.0.0/16 (Pod 1) and 172.41.0.0/16 (Pod 2).
Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16



(OpenVPN will have both routes pushed to the client, so either Pod 1 will be the gateway or Pod 2)



I wouldn't bother writing code so that I can correctly communicate with the pods i.e. if I create a GCloud Route with the POD IP as a gateway with the networks would that work?






kubernetes gcloud







share|improve this question

























  • Not sure I got your question right, but in general it not the best idea to communicate to pods directly in k8s since pod can be moved/destroyed in anytime. Instead you can talk to services so you will be able to communicate with service by using its name thanks to KubeDNS. In your case even if you will set up new network, you can still communicate to its services just by their names

    – Evgeny Makarov
    Nov 15 '18 at 10:19











  • well the problem is that I can't have a service that can "route" a whole network, also if a pod is destroyed/moved (it's a statefulset) i will could just delete the old route and announce a new one. Basically I'm looking for an idea how I could solve this problem so if there is a way to have a service which will make it work that my vpn is working, everything would be ok. I mean I could also use the vpn to actually connect the vpn to the vpn itself (which would have an overhead)

    – Christian Schmitt
    Nov 15 '18 at 12:02













  • i.e. a cool way would be to have a VPC which the OpenVPN uses and the gcloud compute will actually do the routing automatically.

    – Christian Schmitt
    Nov 15 '18 at 12:12
















1















Currently, I'm running a Kubernetes cluster on GCloud K8s Engine.



Now I'm running an OpenVPN Server on there to create a network where multiple clients can talk together in a client-to-client fashion.
If I'm using just a single VPN server it also already works. The client can connect to the K8s Pod and communicate with other clients or even the server itself.



However now I want to make that a little bit more available and want to have at least two servers which means I create another VPN network, which is relatively simple, by using the same configuration I used in server1 (I just need to adjust the Subnet).



But the tricky part is how can I make it happen that both pods can correctly route the networks?



i.e. I have the VPN networks 172.40.0.0/16 (Pod 1) and 172.41.0.0/16 (Pod 2).
Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16



(OpenVPN will have both routes pushed to the client, so either Pod 1 will be the gateway or Pod 2)



I wouldn't bother writing code so that I can correctly communicate with the pods i.e. if I create a GCloud Route with the POD IP as a gateway with the networks would that work?






kubernetes gcloud







share|improve this question

























  • Not sure I got your question right, but in general it not the best idea to communicate to pods directly in k8s since pod can be moved/destroyed in anytime. Instead you can talk to services so you will be able to communicate with service by using its name thanks to KubeDNS. In your case even if you will set up new network, you can still communicate to its services just by their names

    – Evgeny Makarov
    Nov 15 '18 at 10:19











  • well the problem is that I can't have a service that can "route" a whole network, also if a pod is destroyed/moved (it's a statefulset) i will could just delete the old route and announce a new one. Basically I'm looking for an idea how I could solve this problem so if there is a way to have a service which will make it work that my vpn is working, everything would be ok. I mean I could also use the vpn to actually connect the vpn to the vpn itself (which would have an overhead)

    – Christian Schmitt
    Nov 15 '18 at 12:02













  • i.e. a cool way would be to have a VPC which the OpenVPN uses and the gcloud compute will actually do the routing automatically.

    – Christian Schmitt
    Nov 15 '18 at 12:12














1












1








1








Currently, I'm running a Kubernetes cluster on GCloud K8s Engine.



Now I'm running an OpenVPN Server on there to create a network where multiple clients can talk together in a client-to-client fashion.
If I'm using just a single VPN server it also already works. The client can connect to the K8s Pod and communicate with other clients or even the server itself.



However now I want to make that a little bit more available and want to have at least two servers which means I create another VPN network, which is relatively simple, by using the same configuration I used in server1 (I just need to adjust the Subnet).



But the tricky part is how can I make it happen that both pods can correctly route the networks?



i.e. I have the VPN networks 172.40.0.0/16 (Pod 1) and 172.41.0.0/16 (Pod 2).
Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16



(OpenVPN will have both routes pushed to the client, so either Pod 1 will be the gateway or Pod 2)



I wouldn't bother writing code so that I can correctly communicate with the pods i.e. if I create a GCloud Route with the POD IP as a gateway with the networks would that work?






kubernetes gcloud







share|improve this question
















Currently, I'm running a Kubernetes cluster on GCloud K8s Engine.



Now I'm running an OpenVPN Server on there to create a network where multiple clients can talk together in a client-to-client fashion.
If I'm using just a single VPN server it also already works. The client can connect to the K8s Pod and communicate with other clients or even the server itself.



However now I want to make that a little bit more available and want to have at least two servers which means I create another VPN network, which is relatively simple, by using the same configuration I used in server1 (I just need to adjust the Subnet).



But the tricky part is how can I make it happen that both pods can correctly route the networks?



i.e. I have the VPN networks 172.40.0.0/16 (Pod 1) and 172.41.0.0/16 (Pod 2).
Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16



(OpenVPN will have both routes pushed to the client, so either Pod 1 will be the gateway or Pod 2)



I wouldn't bother writing code so that I can correctly communicate with the pods i.e. if I create a GCloud Route with the POD IP as a gateway with the networks would that work?






kubernetes gcloud




kubernetes gcloud






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 16 '18 at 1:48









Rico

28.6k95168




28.6k95168










asked Nov 15 '18 at 10:02









Christian SchmittChristian Schmitt

625732




625732













  • Not sure I got your question right, but in general it not the best idea to communicate to pods directly in k8s since pod can be moved/destroyed in anytime. Instead you can talk to services so you will be able to communicate with service by using its name thanks to KubeDNS. In your case even if you will set up new network, you can still communicate to its services just by their names

    – Evgeny Makarov
    Nov 15 '18 at 10:19











  • well the problem is that I can't have a service that can "route" a whole network, also if a pod is destroyed/moved (it's a statefulset) i will could just delete the old route and announce a new one. Basically I'm looking for an idea how I could solve this problem so if there is a way to have a service which will make it work that my vpn is working, everything would be ok. I mean I could also use the vpn to actually connect the vpn to the vpn itself (which would have an overhead)

    – Christian Schmitt
    Nov 15 '18 at 12:02













  • i.e. a cool way would be to have a VPC which the OpenVPN uses and the gcloud compute will actually do the routing automatically.

    – Christian Schmitt
    Nov 15 '18 at 12:12



















  • Not sure I got your question right, but in general it not the best idea to communicate to pods directly in k8s since pod can be moved/destroyed in anytime. Instead you can talk to services so you will be able to communicate with service by using its name thanks to KubeDNS. In your case even if you will set up new network, you can still communicate to its services just by their names

    – Evgeny Makarov
    Nov 15 '18 at 10:19











  • well the problem is that I can't have a service that can "route" a whole network, also if a pod is destroyed/moved (it's a statefulset) i will could just delete the old route and announce a new one. Basically I'm looking for an idea how I could solve this problem so if there is a way to have a service which will make it work that my vpn is working, everything would be ok. I mean I could also use the vpn to actually connect the vpn to the vpn itself (which would have an overhead)

    – Christian Schmitt
    Nov 15 '18 at 12:02













  • i.e. a cool way would be to have a VPC which the OpenVPN uses and the gcloud compute will actually do the routing automatically.

    – Christian Schmitt
    Nov 15 '18 at 12:12

















Not sure I got your question right, but in general it not the best idea to communicate to pods directly in k8s since pod can be moved/destroyed in anytime. Instead you can talk to services so you will be able to communicate with service by using its name thanks to KubeDNS. In your case even if you will set up new network, you can still communicate to its services just by their names

– Evgeny Makarov
Nov 15 '18 at 10:19





Not sure I got your question right, but in general it not the best idea to communicate to pods directly in k8s since pod can be moved/destroyed in anytime. Instead you can talk to services so you will be able to communicate with service by using its name thanks to KubeDNS. In your case even if you will set up new network, you can still communicate to its services just by their names

– Evgeny Makarov
Nov 15 '18 at 10:19













well the problem is that I can't have a service that can "route" a whole network, also if a pod is destroyed/moved (it's a statefulset) i will could just delete the old route and announce a new one. Basically I'm looking for an idea how I could solve this problem so if there is a way to have a service which will make it work that my vpn is working, everything would be ok. I mean I could also use the vpn to actually connect the vpn to the vpn itself (which would have an overhead)

– Christian Schmitt
Nov 15 '18 at 12:02







well the problem is that I can't have a service that can "route" a whole network, also if a pod is destroyed/moved (it's a statefulset) i will could just delete the old route and announce a new one. Basically I'm looking for an idea how I could solve this problem so if there is a way to have a service which will make it work that my vpn is working, everything would be ok. I mean I could also use the vpn to actually connect the vpn to the vpn itself (which would have an overhead)

– Christian Schmitt
Nov 15 '18 at 12:02















i.e. a cool way would be to have a VPC which the OpenVPN uses and the gcloud compute will actually do the routing automatically.

– Christian Schmitt
Nov 15 '18 at 12:12





i.e. a cool way would be to have a VPC which the OpenVPN uses and the gcloud compute will actually do the routing automatically.

– Christian Schmitt
Nov 15 '18 at 12:12












1 Answer
1






active

oldest

votes


















1















Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16




Kubernetes doesn't have any such mechanisms. However, you could look at BGP peering with Calico as an overlay.



The other option I guess is to create manual routes on both servers that point to each other that way traffic flows both ways. Traffic to the PodCidr is gonna be trickier because it's generally masqueraded with iptables and in a Kubernetes cluster the PodCidr is cluster-wide.






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53316844%2fgcloud-k8s-pod-to-pod-routing%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1















    Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16




    Kubernetes doesn't have any such mechanisms. However, you could look at BGP peering with Calico as an overlay.



    The other option I guess is to create manual routes on both servers that point to each other that way traffic flows both ways. Traffic to the PodCidr is gonna be trickier because it's generally masqueraded with iptables and in a Kubernetes cluster the PodCidr is cluster-wide.






    share|improve this answer




























      1















      Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16




      Kubernetes doesn't have any such mechanisms. However, you could look at BGP peering with Calico as an overlay.



      The other option I guess is to create manual routes on both servers that point to each other that way traffic flows both ways. Traffic to the PodCidr is gonna be trickier because it's generally masqueraded with iptables and in a Kubernetes cluster the PodCidr is cluster-wide.






      share|improve this answer


























        1












        1








        1








        Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16




        Kubernetes doesn't have any such mechanisms. However, you could look at BGP peering with Calico as an overlay.



        The other option I guess is to create manual routes on both servers that point to each other that way traffic flows both ways. Traffic to the PodCidr is gonna be trickier because it's generally masqueraded with iptables and in a Kubernetes cluster the PodCidr is cluster-wide.






        share|improve this answer














        Does K8s or GCloud have any way of announcing the VPN network so that the pods will correctly route requests from 172.40.0.0/16 to 172.41.0.0/16




        Kubernetes doesn't have any such mechanisms. However, you could look at BGP peering with Calico as an overlay.



        The other option I guess is to create manual routes on both servers that point to each other that way traffic flows both ways. Traffic to the PodCidr is gonna be trickier because it's generally masqueraded with iptables and in a Kubernetes cluster the PodCidr is cluster-wide.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 16 '18 at 1:59









        RicoRico

        28.6k95168




        28.6k95168
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53316844%2fgcloud-k8s-pod-to-pod-routing%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            The Sandy Post

            Image
            The Sandy Post From Wikipedia, the free encyclopedia Jump to navigation Jump to search The Sandy Post Type Weekly Newspaper Format Tabloid Owner(s) Community Newspapers/Pamplin Media Group Publisher J. Mark Garber Editor Steve Brown Founded 1937  ( 1937 ) Headquarters Sandy, Oregon Circulation 3,800 Website www.pamplinmedia.com/sandy-post-home/ This article needs additional citations for verification . Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (February 2010) (Learn how and when to remove this template message) The Sandy Post is a weekly newspaper, published in Sandy, Oregon, United States. The paper, founded in 1937, serves the communities of Sandy, Boring, the Villages at Mount Hood and the surrounding areas. The newspaper is owned by Community Newspapers/Pamplin Media Group, a company of ...
            Read more

            Danny Elfman

            Image
            Danny Elfman From Wikipedia, the free encyclopedia Jump to navigation Jump to search Danny Elfman Elfman at the 2010 San Diego Comic-Con Born Daniel Robert Elfman ( 1953-05-29 ) May 29, 1953 (age 65) Los Angeles, California, U.S. Spouse(s) Bridget Fonda ( m.  2003) Children 1 Musical career Genres Rock [1] ska [2] new wave film music video game music Occupation(s) Composer, singer, songwriter, record producer Instruments Trombone guitar percussion vocals keyboards [3] Years active 1972–present Associated acts Oingo Boingo James Newton Howard Daniel Robert Elfman (born May 29, 1953) is an American composer, singer, songwriter, and record producer. Elfman first became known for being the lead singer and songwriter for the band Oingo Boingo from 1974 to 1995. He is well known for scoring films and television shows, particularly his frequent collabora...
            Read more

            Pages that link to "Head v. Amoskeag Manufacturing Co."

            Image
            Help Pages that link to "Head v. Amoskeag Manufacturing Co." ← Head v. Amoskeag Manufacturing Co. Jump to navigation Jump to search What links here Page:   Namespace:  all (Article) Talk User User talk Wikipedia Wikipedia talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk Portal Portal talk Book Book talk Draft Draft talk TimedText TimedText talk Module Module talk Gadget Gadget talk Gadget definition Gadget definition talk   Invert selection Filters Hide transclusions | Hide links | Hide redirects The following pages link to Head v. Amoskeag Manufacturing Co. External tools: Show redirects only View (previous 50 | next 50) (20 | 50 | 100 | 250 | 500) Amoskeag Manufacturing Company ‎ (links | edit) List of United States Supreme Court cases by the Waite Court ‎ (links | edit) Talk:Head v. Amoskeag Manuf...
            Read more