ip_masq with aliased ip addresses #172
Comments
|
/cc @morgante |
|
@aaron-lane after researching this, this is a bug. We do not and should not enable ip masq when using aliased ip addresses. |
|
@chrislovecnm The specific reasons for having this are two-fold:
I would be open to adding an additional flag which disables ip-masq. |
I verified with a couple different engineers that we do not need it. Do you have documentation to the contrary? Yes, having an additional flag for it would be great. I agree with you on the first use case that we need to provide that support. The reason this is a big inconvenience and a bit of a chicken and egg problem is that you cannot create the vpc, subnet, and private cluster from the same TF. You have to be on a bastion, or open up the api server endpoint (which I would not recommend). To be on a bastion, you have to have the subnet. Hence the chicken and egg problem. The base issues is that the Thanks |
It looks like that requirement might be out of date. I definitely see your use case. I suggest we add a Can you file a PR for this? If not we'll have someone handle it on our end. |
aaron-lane
added
enhancement
|
@morgante to clarify. Change this terraform-google-kubernetes-engine/autogen/masq.tf Lines 22 to 24 in d8e7850 To use a new variable: count = "${var.configure_ip_masq ? 1 : 0}" |
|
Yes. |
Aliased IP addresses do not require ip masqerading anymore. There are a few usecases where we would need ip masq, but usually it is not recommended to install ip masqerading. This variable allows for fine gain control on the installation of ip masq as it was always installed via the network_policy variable previsouly. configure_ip_masq defaults to false. Fixes: terraform-google-modules#172
Aliased IP addresses do not require ip masquerading anymore. There are few use cases where we would need ip masq, but usually it is not recommended to install ip masquerading. This variable allows for fine gain control on the installation of ip masq as it was always installed via the network_policy variable previously. configure_ip_masq defaults to false. Fixes: terraform-google-modules#172
Aliased IP addresses do not require ip masquerading anymore. There are few use cases where we would need ip masq, but usually it is not recommended to install ip masquerading. This variable allows for fine gain control on the installation of ip masq as it was always installed via the network_policy variable previously. configure_ip_masq defaults to false. Fixes: terraform-google-modules#172
Aliased IP addresses do not require ip masquerading anymore. There are few use cases where we would need ip masq, but usually it is not recommended to install ip masquerading. This variable allows for fine gain control on the installation of ip masq as it was always installed via the network_policy variable previously. configure_ip_masq defaults to false. Fixes: terraform-google-modules#172
Aliased IP addresses do not require ip masquerading anymore. There are few use cases where we would need ip masq, but usually it is not recommended to install ip masquerading. This variable allows for fine gain control on the installation of ip masq as it was always installed via the network_policy variable previously. configure_ip_masq defaults to false. Fixes: terraform-google-modules#172
Aliased IP addresses do not require ip masquerading anymore. There are few use cases where we would need ip masq, but usually it is not recommended to install ip masquerading. This variable allows for fine gain control on the installation of ip masq as it was always installed via the network_policy variable previously. configure_ip_masq defaults to false. Fixes: terraform-google-modules#172
When we have aliased ip addresses do we need ip_masq enabled for network policies?
https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/modules/private-cluster/masq.tf#L22
I am seeing this and I am wondering if we do not need this when we have aliased ip subnets for the services and pods.
The text was updated successfully, but these errors were encountered: