GKE IP masquerade configuration insights

This page describes the Network Analyzer insights for Google Kubernetes Engine (GKE) IP masquerade configuration. For information about all the insight types, see Insight groups and types.

Network analyzer detects the ip-masq-agent configuration and compares it with the cluster's Pod CIDR ranges.

ConfigMap is missing part of the Pod CIDR range

The ConfigMap for the ip-masq-agent configuration deployed on your GKE cluster appears to be missing the Pod CIDR ranges. This corresponds to the following warning message: Cluster's ip-masq-agent config map's nonMasqueradeCIDRs does not fully cover the Pod CIDR ranges. This means that infra-cluster traffic among the Pods uses the source node's IP address for Source Network Address Translation (SNAT), which can lead to connectivity issues when a firewall or network policy is in place.

This insight includes the following information:

  • ip-masq-agent ConfigMap: the ConfigMap of the ip-masq-agent component.
  • nonMasqueradeCIDRs: the field that specifies a list of destination IP address ranges in CIDR format for which source IP address SNAT is disabled.
  • Pod CIDR: the Pod CIDR range is a dedicated block of IP addresses that are reserved exclusively for assigning unique IP addresses to Pods within the cluster. Every Pod that runs in the cluster receives its own IP address from this range, which enables network communication.

For more information, see IP masquerade agent and Configuring an IP masquerade agent in Standard clusters.

Recommendations

Check the value of the Pod CIDR assigned to the cluster, and edit the ip-masq-agent ConfigMap to include all the Pod CIDR ranges in the nonMasqueradeCIDRs field. Including the Pod CIDR ranges helps ensure that traffic within the cluster isn't subject to IP masquerading.

ConfigMap is missing part of the Pod CIDR range and default SNAT disabled

Default SNAT is disabled in your GKE cluster because of the --disable-default-snat=true flag, and the self-deployed ip-masq-agent configuration is managing IP masquerade rules instead. Your custom configuration for the ip-masq-agent ConfigMap might not properly include the Pod CIDR ranges. This corresponds to the following warning message: Cluster's ip-masq-agent config map's nonMasqueradeCIDRs does not fully cover the Pod CIDR ranges and the flag disable-default-snat is set to true. As a result, Pod traffic might not be correctly masqueraded according to your intended policy.

This insight includes the following information:

  • ip-masq-agent ConfigMap: the ConfigMap of the ip-masq-agent component.
  • nonMasqueradeCIDRs: the field that specifies a list of destination IP address ranges in CIDR format for which source IP address SNAT is disabled.
  • Pod CIDR: the Pod CIDR range is a dedicated block of IP addresses that are reserved exclusively for assigning unique IP addresses to Pods within the cluster. Every Pod that runs in the cluster receives its own IP address from this range, which enables network communication.
  • custom config: the custom configuration for the ip-masq-agent ConfigMap overwrites the default nonMasqueradeCIDRs list. Your custom configuration entirely replaces the default ranges provided by the agent.
  • disable-default-snat flag: the --disable-default-snat flag changes the default GKE SNAT behavior so that source Pod IP addresses are preserved for packets sent to all destinations.

For more information, see IP masquerade agent and Configuring an IP masquerade agent in Standard clusters.

Recommendations

Check the value of the Pod CIDR and custom configuration assigned to the cluster. Edit the ip-masq-agent ConfigMap to include all the Pod CIDR ranges in the nonMasqueradeCIDRs field. Including the Pod CIDR ranges helps ensure that traffic within the cluster isn't subject to IP masquerading.