IP Addresses of Pods Exposed to the External Network

In Kube-OVN, the IP address of a pod can be directly exposed to the external network through a static route. In this case, the natOutgoing field of the subnet where the pod is located must be set to false to disable the NAT mapping for outbound traffic.

In addition, check whether there is a drop rule in the Forward link of iptables on the host node. For the ovn0 NIC and the default outbound NIC, enable the Forward rule in the Forward link of iptables.

Physical environment

To expose the IP address of a pod to the external network so that the external network can access containers using the IP address, set natOutgoing of the corresponding subnet to false. In addition, you need to add a static route on the external router and set the next hop of the data packets whose destination address is the subnet CIDR to any host in the cluster.

The following is an example of configuration on a subnet.

vim subnet-gateway.yaml

apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: subnet-gateway
spec:
  protocol: IPv4
  default: false
  namespaces:
  - ns1
  - ns2
  cidrBlock: 100.64.0.0/16
  gateway: 100.64.0.1
  excludeIps:
  - 100.64.0.1
  private: false
  gatewayType: distributed
  natOutgoing: false

kubectl create -f subnet-gateway.yaml

Virtual network environment
If the next hop of the container network is set to a host in the cluster due to restrictions of security groups or conntrack, data packets may be dropped due to asymmetric routing.

In this case, you are advised to set gatewayType to centralized and set the corresponding gatewayNode. When an external system accesses a container, the next hop of the container CIDR must be set to the node specified by gatewayNode to avoid asymmetric routing restrictions.

Parent topic: Subnet Management