===201908追記===
今なら Cloud NAT 使うのがいいと思います
===追記おわり===
タイトルのとおりですが、こんなことする人はあまりいないと思います。ingressをstaticにするのは簡単ですが、egressはやり方調べても情報がなくて苦労しました。
今回のケースでは、GKEである処理を行うworkerを作っていて、その処理の途中で外部のサーバへ接続してデータを取ってくる必要があるのですが、その外部のサーバがIPアドレスによるアクセス制限をかけていました。 そのため、アクセスするIPアドレスを申請する必要があり、どのnodeからリクエストしてもそのegressのIPアドレスを固定したいという状況です。
やり方を一言でいうと、NAT用のinstanceを立てる、です。
johnlabarge/gke-nat-example を参考にしました。
IP, network, subnet, NAT用instanceなどいろいろと作らなくてはいけなくて大変なので、deployment-managerを使って設定を書いていきます。
imports: - path: myapp-with-nat.jinja resources: - name: myapp-with-nat type: myapp-with-nat.jinja properties: region: asia-northeast1 zone: asia-northeast1-a cluster_name: myapp num_nodes: 3
myapp-with-nat.jinja.scheme
info: title: MyApp GKE cluster with NAT description: Creates a MyApp GKE Cluster with a nat route required: - zone - cluster_name - num_nodes properties: region: type: string description: GCP region default: asia-northeast1 zone: type: string description: GCP zone default: asia-northeast1-a cluster_name: type: string description: Cluster Name default: "myapp" num_nodes: type: integer description: Number of nodes default: 3
myapp-with-nat.jinja
resources: ######## Static IP ######## - name: {{ properties["cluster_name"] }}-static-address type: compute.v1.address properties: region: {{ properties["region"] }} ######## Network ############ - name: {{ properties["cluster_name"] }}-nat-network type: compute.v1.network properties: autoCreateSubnetworks: false ######### Subnets ########## ######### For Cluster ######### - name: {{ properties["cluster_name"] }}-cluster-subnet type: compute.v1.subnetwork properties: network: $(ref.{{ properties["cluster_name"] }}-nat-network.selfLink) ipCidrRange: 172.16.0.0/12 region: {{ properties["region"] }} ########## NAT Subnet ########## - name: nat-subnet type: compute.v1.subnetwork properties: network: $(ref.{{ properties["cluster_name"] }}-nat-network.selfLink) ipCidrRange: 10.1.1.0/24 region: {{ properties["region"] }} ########## NAT VM ########## - name: nat-vm type: compute.v1.instance properties: zone: {{ properties["zone"] }} canIpForward: true tags: items: - nat-to-internet machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/f1-micro disks: - deviceName: boot type: PERSISTENT boot: true autoDelete: true initializeParams: sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-7-wheezy-v20150423 networkInterfaces: - network: projects/{{ env["project"] }}/global/networks/{{ properties["cluster_name"] }}-nat-network subnetwork: $(ref.nat-subnet.selfLink) accessConfigs: - name: External NAT type: ONE_TO_ONE_NAT natIP: $(ref.{{ properties["cluster_name"] }}-static-address.address) metadata: items: - key: startup-script value: | #!/bin/sh # -- # --------------------------- # Install TCP DUMP # Start nat; start dump # --------------------------- apt-get update apt-get install -y tcpdump apt-get install -y tcpick iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE nohup tcpdump -e -l -i eth0 -w /tmp/nat.pcap & nohup tcpdump -e -l -i eth0 > /tmp/nat.txt & echo 1 | tee /proc/sys/net/ipv4/ip_forward ########## FIREWALL RULES FOR NAT VM ########## - name: nat-vm-firewall type: compute.v1.firewall properties: allowed: - IPProtocol : tcp ports: [] sourceTags: - route-through-nat network: $(ref.{{ properties["cluster_name"] }}-nat-network.selfLink) - name: nat-vm-ssh type: compute.v1.firewall properties: allowed: - IPProtocol : tcp ports: [22] sourceRanges: - 0.0.0.0/0 network: $(ref.{{ properties["cluster_name"] }}-nat-network.selfLink) ########## GKE CLUSTER CREATION ########## - name: {{ properties["cluster_name"] }} type: container.v1.cluster metadata: dependsOn: - {{ properties["cluster_name"] }}-nat-network - {{ properties["cluster_name"] }}-cluster-subnet properties: cluster: name: {{ properties["cluster_name"] }} initialNodeCount: {{ properties["num_nodes"] }} network: {{ properties["cluster_name"] }}-nat-network subnetwork: {{ properties["cluster_name"] }}-cluster-subnet nodeConfig: oauthScopes: - https://www.googleapis.com/auth/compute - https://www.googleapis.com/auth/devstorage.read_write - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring - https://www.googleapis.com/auth/bigquery tags: - route-through-nat zone: {{ properties["zone"] }} ########## GKE MASTER ROUTE ########## - name: master-route type: compute.v1.route properties: destRange: $(ref.{{ properties["cluster_name"] }}.endpoint) network: $(ref.{{ properties["cluster_name"] }}-nat-network.selfLink) nextHopGateway: projects/{{ env["project"] }}/global/gateways/default-internet-gateway priority: 100 tags: - route-through-nat ########## NAT ROUTE ########## - name: {{ properties["cluster_name"] }}-route-through-nat metadata: dependsOn: - {{ properties["cluster_name"] }} - {{ properties["cluster_name"] }}-nat-network type: compute.v1.route properties: network: $(ref.{{ properties["cluster_name"] }}-nat-network.selfLink) destRange: 0.0.0.0/0 description: "route all other traffic through nat" nextHopInstance: $(ref.nat-vm.selfLink) tags: - route-through-nat priority: 800
長いので説明は省きますが、読めばなんとなく分かると思います。
これで、
deployment-manager deployments create myapp --config myapp.yml