GitHub user weizhouapache added a comment to the discussion: one to many secondary IP for a floating VIP with SG
> I agree that some type of flag would be good for safety, otherwise an api > user won't know if they're allocating a shared secondary IP without first > checking the allocation status. The UI would already recognize the IP as > allocated and hide it on the NIC page, so that might need some adjustments to > enable this behavior. > > I think kubernetes clusters with a cni managed overlay will work well enough > since outbound traffic would get a SNAT with the primary VM IP of each node. > In this scenario the inbound traffic would need a load balancer with a VIP > for the control plane nodes and a VIP for an ingress controller (or other > nodeport services), so only the VIPs would need to be able to float. > > Attaching pods directly to the network would get more complicated and the CNI > would need to talk to the cloudstack api to attach/detach IPs. This is what > cilium does in aws. In AWS there's also prefix delegation, because if the CNI > keeps requesting /32s for each pod you hit a maximum on the ENI, and if it > keeps adding ENIs you hit the maximum ENIs for the instance type. Prefix > delegation allocates a /28 to the ENI (consuming the same capacity as a > single /32 on the ENI) and pod addresses are assigned from that prefix. thanks for the sharing @dstoy53 Allocating /28 subnet to the ENI seems a good idea. I do not know how security groups works on the IPs (maybe allow all traffic on hypervisor level and let ingress controller to manage ?) GitHub link: https://github.com/apache/cloudstack/discussions/10979#discussioncomment-13726424 ---- This is an automatically sent email for users@cloudstack.apache.org. To unsubscribe, please send an email to: users-unsubscr...@cloudstack.apache.org
