k8s sees any ip address in the range 10.0.0.0/8 as local. if you have a service external to k8s you want to connect, but which has an ip address within the 10.0.0.0/8 range, you need to use a custom ip table rule to exclude this ip from k8s’ understanding of local. you can do this with a daemon set:
# Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: k8s-custom-iptables labels: app: k8s-custom-iptables version: v1 spec: template: metadata: labels: name: k8s-custom-iptables spec: hostNetwork: true containers: - name: k8s-custom-iptables resources: securityContext: privileged: true image: gcr.io/google_containers/k8s-custom-iptables:1.0 imagePullPolicy: Always command: [ "sh", "-c", "/run.sh" ] resources: requests: cpu: 5m memory: 10Mi volumeMounts: - mountPath: /cfg name: cfg volumes: - name: cfg configMap: name: k8s-custom-iptables --- apiVersion: v1 kind: ConfigMap metadata: name: k8s-custom-iptables data: nat.rules: "10.200.0.0/16"
The specific ip address or ip address range you want to exclude is configured in the ConfigMap at this part: