Hello,
I want to access Pod IP from outside of Cluster.
First I don’t know that how to routing Pod IP.
And I want to deny access to Pod IP from outside of Cluster, defaultly.
Only a specific IP Pool should be made accessible.
I using Calico and eBGP.
How to advertise a specific Pod IP Pool?
Thanks.
Calico advertises pod IPs over BGP, so you need to peer Calico’s BGP, directly or indirectly, with all of the routers between the cluster and the places that you want to access from. Then those places will know how to route to pod IPs.
To restrict that to a specific IP pool, you can do it at the networking level, or at the policy level (or both).
By networking: configure import filters on your BGP routers, so that they only learn routes for the specific IP pool.
By policy: configure an ingress policy for all pods that:
Hope that helps!
Thank you for answer!
I decided to peering bgp and set prefix-list from router.
Actually, I have a problem when I try it.
Next Hop is displayed as all nodes on the Pod Subnet.
* 10.16.135.112/28 10.16.9.101 0 65011 i
* 10.16.9.201 0 65011 i
* 10.16.0.241 0 65011 i
* 10.16.9.211 0 65011 i
* 10.16.9.11 0 65011 i
*> 10.16.9.12 0 65011 i
Traceroute goes through unnecessary nodes.
That looks odd. Can you tell me more about:
Solved.
It was nodeToNodeMesh problem.
Same issue https://github.com/projectcalico/calico/issues/3810
Ah yes, that makes sense. Thanks for closing the loop here!