The required feature described as a wish
Hi,
I’m currently experimenting with Anycast for Kubernetes clusters.
For this setup, I have two BGP router VMs that talk to multiple tenant worker nodes. The worker nodes should be able to announce external IPs for Kubernetes LoadBalancer services.
The goal is to have multiple tenants on a shared L2 network and use Security Groups for isolation.
The issue is that CloudStack does not know about these external IPs in my scenario, so traffic gets blocked on the hypervisor iptables layer. As far as I understand it, only IPs that CloudStack knows about are allowed as destination IPs for a specific VM.
Even if I create a separate network containing those external IPs, I cannot assign the same IP to multiple VMs. Because of that, real Anycast is not possible.
What would be useful is a way to allow additional destination IPs for a VM or Security Group without requiring CloudStack to assign those IPs directly to a single VM. This would allow external systems, like Kubernetes with BGP-based LoadBalancer announcements, to handle the IP ownership dynamically while CloudStack still provides L2 isolation and anti-spoofing.
The required feature described as a wish
Hi,
I’m currently experimenting with Anycast for Kubernetes clusters.
For this setup, I have two BGP router VMs that talk to multiple tenant worker nodes. The worker nodes should be able to announce external IPs for Kubernetes LoadBalancer services.
The goal is to have multiple tenants on a shared L2 network and use Security Groups for isolation.
The issue is that CloudStack does not know about these external IPs in my scenario, so traffic gets blocked on the hypervisor iptables layer. As far as I understand it, only IPs that CloudStack knows about are allowed as destination IPs for a specific VM.
Even if I create a separate network containing those external IPs, I cannot assign the same IP to multiple VMs. Because of that, real Anycast is not possible.
What would be useful is a way to allow additional destination IPs for a VM or Security Group without requiring CloudStack to assign those IPs directly to a single VM. This would allow external systems, like Kubernetes with BGP-based LoadBalancer announcements, to handle the IP ownership dynamically while CloudStack still provides L2 isolation and anti-spoofing.