1

I have a workload in GKE cluster and I need to expose one port with both TCP and UDP protocols externally. The complication is that egress and ingress should go through the same external IP in order to make P2P protocol working.

Currently, my cluster is public and I use a trick with hostNetwork: true described here https://stackoverflow.com/a/47887571/803403, but considering moving to a private cluster and using Cloud NAT. However, I did not find a way how to expose that port in this case. I tried to expose it via ClusterIP, but in firewall rules could not map the external port to that ClusterIP port since the last one does not have network tags. And also I'm not sure if firewall rules can be applied to Cloud Router that is bonded to Cloud NAT.

Any ideas?

desertnaut
  • 57,590
  • 26
  • 140
  • 166
azhurb
  • 43
  • 2
  • 8
  • Why you don't expose it with a LoadBalancer? – guillaume blaquiere Feb 05 '21 at 08:11
  • Checking [this article](https://stackoverflow.com/questions/58830440/expose-private-kubernetes-cluster-with-nodeport-type-service), you will need to use nodeport instead. See if it fits your use case. – Alex G Feb 05 '21 at 09:17
  • @guillaumeblaquiere LoadBalancer does not support multiple protocols on the same port. – azhurb Feb 05 '21 at 10:26
  • @AlexG unfortunately the main condition for nodeport is `it is needed to have external IP address assigned to one of the nodes in cluster` Which is not the case for the private cluster. – azhurb Feb 05 '21 at 10:55

2 Answers2

2

You are in a dead end! Today you expose your service through a public IP of one of your node. If you go private, you will no longer have a public IP, only private IP. Thus, you need something that bridge the private world and the public internet: a Load balancer

However, multiprotocol on the same IP (here TCP and UDP) isn't natively supported by Google Load balancer, and you can't use Load Balancer.

No luck...

Note: I know there are updates in progress on Google Cloud internal network side, but that's all. I don't know exactly what and if a new type of load balancer will be released or not. Maybe... stay tune, but it won't be en the next weeks

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • I hopped that Cloud NAT and Cloud Router along with firewall rules will do the trick, but apparently, it is not possible `Firewall rules are applied directly to the network interfaces of Compute Engine VMs, not Cloud NAT gateways.` – azhurb Feb 05 '21 at 13:36
  • 1
    Yes, and NAT works only for outbound traffic, you can't reach your GKE cluster with incoming request to Cloud NAT IP – guillaume blaquiere Feb 05 '21 at 17:02
1

You can

  1. create a gcloud compute address
  2. create a LoadBalancer service that listens on your TCP port(s)
  3. create a second LoadBalancer service that listens on your UDP port(s)
  4. assign the glcoud compute IP address to both LoadBalancer services using spec.loadBalancerIp

Make sure the IP and GKE services are in the same glcoud project and region.

apiVersion: v1
kind: Service
metadata:
  name: service-tcp
  labels:
    app: nginx
spec:
  ports:
  - protocol: TCP
    port: 80
  selector:
    app: nginx
  type: LoadBalancer
  loadBalancerIP: 1.2.3.4
---
apiVersion: v1
kind: Service
metadata:
  name: service-udp
  labels:
    app: nginx
spec:
  ports:
  - protocol: UDP
    port: 80
  selector:
    app: nginx
  type: LoadBalancer
  loadBalancerIP: 1.2.3.4
Joe Corall
  • 11
  • 2