stackoom
  简体   繁体   中英

Disable external IP on GKE nodes

 原文  2018-01-10 14:41:10       kubernetes/ jupyterhub/ google-kubernetes-engine

Question

I'm using Jupyterhub + Kubernetes to provide a hosted development environment for a large programming class (>100 students). It's running on top of GKE with autoscaling enabled. As additional students log in, more nodes are dynamically added to the pool to handle the increased demand.

I'm running into an issue where the node pool is exhausting the project quota of external IPs, effectively limiting the size of the pool to 8 concurrent nodes. The exact error is this one . The nodes sit behind a reverse proxy for communicating with end user; as far as I can tell, the only use of these public IPs is to enable direct SSH into each individual node. I don't need or even want this functionality, since it presents a unnecessary attack surface.

How can I disable the automatic assignment of ephemeral IPs to these worker nodes? There must be a way since the docs for GKE suggest that autoscaling can grow up to something like 1000 nodes. I don't see how this could be possible if they are all subject to the same tiny external IP quota.

3 answers

solution1
 3  2018-01-10 20:32:34

The solution you're looking for is simply increasing your quotas in console for your GCP project (IAM & admin -> Quotas). It's just a few clicks and usually takes only a few minutes for them to get approved.

Right now it's not possible to create GKE nodes without public IPs. Even if it were, it wouldn't help you as you'd just hit other quotas (cpu/disk), so also raise those.

solution2
 1  2019-01-06 10:31:44

  1. Nodes that belong to a private cluster do not get assigned an external IP address.
  2. Inspect the quota limits in the zone where your cluster is hosted. Pro tip: It is likely that if you are hitting these limits at low numbers (under 500 IPs/CPUs), then the zone is overutilized and you are probably paying measurably more than what the price would be in less utilised zones.

solution3
 0  2018-01-17 10:11:39

Unfortunately external IP addresses are necessary for each node to connect to the master. In order to avoid future problems you should request quota for external IP addresses and CPUs, so the cluster can autoscale.

Regarding the surface attack, you can check on your firewall rules that when a cluster is created, new rules are created and by default SSH to the nodes is allowed only to a range of IP addresses.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question GKE, Using same ip or ip range for all nodes inside the cluster Kubernetes: Is it possible to get master nodes IP/Name in GKE regional cluster Set static external IP for my load balancer on GKE Remove external ip address from gke application with kubectl Receiving external request from internal IP on Nginx Pod in GKE Though external ip is resolved, the website returns connection timedout in kubernetes GKE Setting up internal service on GKE without external IP Kubernetes cluster is not exposing external ip as <nodes> Assign external IP to Kubernetes nodes (AWS EKS) External IP of nodes in cluster of Kubernetes Engine
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM