Console
    Contact Us Start free

    Use Egress NAT Policy to configure IP masquerade in Autopilot clusters

    This page explains how to configure clusters created in the Google Kubernetes Engine (GKE) Autopilot mode to perform IP masquerade with the Egress NAT Policy.

    For more information about IP masquerading in GKE Standard mode, see Configure an IP masquerade agent .

    Overview

    The GKE Egress NAT policy lets you configure the IP masquerade behavior for Autopilot clusters.

    GKE supports two automatically generated Egress NAT policies:

    • Managed by GKE that are fixed and are not editable.
    • Default policies that are editable.

    This page shows you how to edit and deploy an Egress NAT policy by either editing the default policy or by creating an Egress NAT policy. This page also shows you how to delete a created Egress NAT policy.

    For more information about Egress NAT policy behavior, see the traffic masquerade behavior for Autopilot clusters .

    Before you begin

    Before you start, make sure that you have performed the following tasks:

    • Enable the Google Kubernetes Engine API.
      • Enable Google Kubernetes Engine API
    • If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update .

    • Ensure that you have an Autopilot cluster running version 1.23.4-gke.1600 or later, or 1.22.7-gke.1500 or later. Your cluster must have GKE Dataplane V2 enabled .

    • Ensure that your cluster has a workload running. For more information, see how to request resources .

    Check Egress NAT policy status

    You can check if your cluster is running the Egress NAT policy custom resource definition (CRD) by using the Google Cloud CLI tool:

    1. Get the credentials for your cluster:

       gcloud  
container  
clusters  
get-credentials  
 CLUSTER-NAME

      Replace CLUSTER_NAME with the name of the cluster.

    2. Check if the Egress NAT policy is running:

       kubectl  
get  
crds  
egressnatpolicies.networking.gke.io

      If the Egress NAT policy is running, then the output is similar to the following:

       NAME                                  CREATED AT
 egressnatpolicies.networking.gke.io   2022-03-16T21:05:43Z

    3. Get the list of the created Egress NAT policies:

       kubectl  
get  
egressnatpolicies

      The output is similar to the following:

       NAME             AGE
  default          44h
  gke-bbfa6c0e-1   44h

    Edit the existing default policy

    GKE supports two automatically generated NAT policies, default policy and managed by GKE policy . The default policy is editable and it configures the default non-masquerade destinations .

    To edit the existing default policy, perform the following steps:

    1. Get the credentials for your cluster:

       gcloud  
container  
clusters  
get-credentials  
 CLUSTER_NAME

      Replace CLUSTER_NAME with the name of your cluster.

    2. Edit the default Egress NAT policy:

       kubectl  
edit  
egressnatpolicies  
default

    3. Add or remove destinations with the NoSNAT action as a cidr attribute in CIDR format .:

       apiVersion: networking.gke.io/v1
  kind: EgressNATPolicy
  metadata:
    name: default
  spec:
    action: NoSNAT
    destinations:
    - cidr:  10.0.0.0/8
    - cidr:  172.16.0.0/12
    - cidr:  192.168.0.0/16
    - cidr:  240.0.0.0/4
    - cidr:  192.0.2.0/24
    - cidr:  198.51.100.0/24
    - cidr:  203.0.113.0/24
    - cidr:  100.64.0.0/10
    - cidr:  198.18.0.0/15
    - cidr:  192.0.0.0/24
    - cidr:  192.88.99.0/24

      When packets are sent to these destinations, your cluster does not masquerade IP address sources and preserves source Pod IP addresses.

    4. Verify the edited default policy is deployed by checking the Kubernetes events:

       kubectl  
get  
events

      The output is similar to the following:

       LAST SEEN   TYPE     REASON           OBJECT                    MESSAGE
13s         Normal   EnsuringPolicy   egressnatpolicy/default   Ensuring IP masquerade config for policy "default"

      Your changes might take up to three minutes to apply.

    Deploy a new Egress NAT policy

    To add new destinations with the NoSNAT action, you can use one of the following options:

    To create a new Egress NAT policy that is not part of the default policy, perform the following steps:

    1. Save the following manifest as egress_nat_policy.yaml :

        kind 
 : 
  
 EgressNATPolicy 
 apiVersion 
 : 
  
 networking.gke.io/v1 
 metadata 
 : 
  
 name 
 : 
  
  POLICY_NAME 
 
 spec 
 : 
  
 action 
 : 
  
 NoSNAT 
  
 destinations 
 : 
  
 - 
  
 cidr 
 : 
  
  CIDR_1 
 
  
 - 
  
 cidr 
 : 
  
  CIDR_2

      Replace the following:

      • POLICY_NAME : the name of your new policy.
      • CIDR_1 and CIDR_2 : the IP address ranges in CIDR format . When packets are sent to these destinations, your cluster does not masquerade IP address sources and preserves source Pod IP addresses. If you need more than two CIDRs, add more entries to the destinations list following the same format.

    2. Deploy the new policy:

       kubectl  
create  
-f  
egress_nat_policy.yaml

    3. Verify your policy is deployed by checking the Kubernetes events:

       kubectl  
get  
events

      The output is similar to the following:

       LAST SEEN   TYPE     REASON           OBJECT                              MESSAGE
13s         Normal   EnsuringPolicy   egressnatpolicy/mypolicy            Ensuring IP masquerade config for policy "mypolicy"

    Delete an Egress NAT policy

    To completely delete an Egress NAT policy, run the following command:

     kubectl  
delete  
egressnatpolicies  
 POLICY_NAME

    Replace POLICY_NAME with the name the policy you want to delete.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: