DEV Community: Abhijeet Mohanan

A Pod with Public IP

Abhijeet Mohanan — Tue, 16 Sep 2025 18:44:31 +0000

Did you know? Pods can have public IP address and a dedicated security group

Summary

Recently I was working on deploying telephony systems on AWS EKS, While doing so I realized that running media servers based on RTP (Real-time Transport Protocol) behind a NAT gateway is not a feasible option.

Problem

For RTP to work both the ends should be able to communicate directly over a Network (Internet / Intranet).
The AWS NAT Gateway doesn't allow ingress traffic to flow in, making it not possible to handle real-time streaming in a private subnet. image ref

An Easy Solution:

An easy solution would be to make an EKS worker node public, open up the security groups, and voila – things would start working.

Security issues with this solution:

However, this approach comes with a significant security flaw. RTP, by nature, requires a large range of ports to enable concurrent streaming. To achieve this, around 10,000 ports would need to be whitelisted in the security group. If higher concurrency is required, even more ports would be necessary.
This scenario opens up ports used by NodePort, potentially granting unwanted access to your environment.

The Ideal Solution:

The pod has a Public static IP
The pod has a dedicated network interface
The pod has a dedicated Security Group

If the above conditions are met it will make the environment a reliable and secure one.

How to achieve this is AWS EKS

Prerequisite

AWS EKS Cluster with AWS VPC-CNI
Elastic IP
Security Group

Step1: Enabling dedicated Network interface for pods.

The first step is to configure VPC-CNI to assign a dedicated network interface to a pod.

To do so add the following variable to the aws-node daemonset

"ENABLE_POD_ENI": "true"

If you are using AWS Managed VPC-CNI add the following to the advanced configuration

{
  "env": {
    "ENABLE_POD_ENI": "true"
  }
}

Once this change is implemented the CNI (VPC-CNI) is ready to assign specific network interfaces to pods.
By default nothing will change all the existing and newly created will run and behave as expected.

Step2: Assigning Security Group to the pod

AWS offers a CRD(custom resource definition) vpcresources.k8s.aws/v1beta1 using this a SecurityGroupPolicy can be created as follows.

cat > securitygrouppolicy.yaml <<EOF
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: media-stream-sg-policy
  namespace: myns
spec:
  podSelector:
    matchLabels:
      app: media-servers
  securityGroups:
    groupIds:
      - sg-e3edxxxxx
EOF

The security group sg-e3edxxxxx is expected to be existing in the VPC

Apply the manifest

kubectl apply -f securitygrouppolicy.yaml

Create a pod with label app: media-servers

cat > pod.yaml <<EOF
# This is a sample pod 
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: media-servers
  name: media-servers-pod
  namespace: myns
spec:
  containers:
    image: public.ecr.aws/docker/library/nginx:stable-alpine
EOF

Apply the manifest

kubectl apply -f pod.yaml

Once the pod is running state get the IP address of the pod.

# To get the IP address 
kubectl get pods -n myns -o wide

# output 
#NAME                  READY   STATUS              RESTARTS   AGE     IP             NODE                                         NOMINATED NODE   READINESS GATES
#media-servers-pod     1/1     Running             0          5m57s   110.46.35.231  ip-110-46-4-191.eu-west-1.compute.internal   <none>           <none>

Copy the IP address and look it up on the AWS Console EC2 > Network & Security > Network interfaces

This IP now will be associated to a dedicated Network Interface which also has the security group attached to it.

Now you have a pod with a dedicated network interface and a security group attached to it

Note the interface ID.

Step3: Assigning Elastic IP to the pod

By default a Public IP is not associated to the network interface as well as you need a set of static IP so that the external world can communicate with [ Helps with whitelisting ]

Goto AWS Console EC2 > Elastic IP

Allocate a new IP or use an existing one.

Once the Elastic IP is allocated, Associate the IP address with the network interface obtained in step2.

Lets make it simpler

Run the following command to achieve the binding easily


ALLOCATION_ID="eipalloc-xxxx" # Get it from the Elastic IP Description
POD_IP="110.46.35.231" 
AWS_REGION="eu-west-1"

aws ec2 associate-address --allocation-id $ALLOCATION_ID --network-interface-id $(aws ec2 describe-network-interfaces  --filters "Name=private-ip-address,Values=$POD_IP" --query "NetworkInterfaces[].NetworkInterfaceId"  --output text --no-paginate) --private-ip-address $POD_IP --allow-reassociation

The above command can be run in an init-container to make sure the IP is always bound to the pod.

Documents

Deploying kubernetes on containers using kind

Abhijeet Mohanan — Fri, 05 Feb 2021 11:15:30 +0000

Kind is an installation tool used to deploy kubernetes cluster in containers.
We all need a simple, easy method to deploy kubernetes for testing and practice.

From the Documentation

kind is a tool for running local Kubernetes clusters using Docker container “nodes”.
kind was primarily designed for testing Kubernetes itself, but may be used for local development or CI.

List of Contents

Installing Docker
Getting kind binary
Getting kubectl binary
Deploying a single node cluster
Deploying Multi node Cluster
Deploying a Multi Master
Accessing Kubernetes Cluster
Deploying and Accessing multiple clusters

Let's Get Started!

For using kind you need to install docker

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo systemctl start docker && sudo systemctl enable docker
sudo usermod -aG docker $USER
sudo systemctl restart docker

If you are facing an issue while installing docker please refer Install Docker

Log out and Log in once and fire the command docker ps if the command is executed successfully docker is ready for use

Create a Directory

mkdir $HOME/bin/

Add the following parameters to .bashrc at your home directory

export PATH=$PATH:$HOME/bin/

Getting the kind binary

curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x kind
mv kind $HOME/bin/kind

Log out and Log in once and fire the command below this should provide you with the current version of the command.

kind --version

Getting kubectl binary

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl
mv kubectl $HOME/bin/kubectl

Log out and Log in once and fire the command below this should provide you with the current version of the command.

kubectl version

Creating cluster using kind:

Deploying a single node cluster
<your_cluster_name> replace with a name you wish

kind create cluster --name <your_cluster_name>

If you want to access your cluster Refer to Accessing Kubernetes Cluster below

Deploying a multi node cluster
kind can be provided with a config file where the number nodes and their roles can be mentioned.

config.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker

Fire the command below for deploying the cluster

kind create cluster --config config.yaml --name <your_cluster_name>

A Multimaster kubernetes cluster can be deployed by editing the config.yaml file

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: control-plane
- role: worker
- role: worker
- role: worker

Fire the command below for the deployment of Multimaster Kubernetes cluster

kind create cluster --config config.yaml --name <your_cluster_name>

Accessing The Kubernetes cluster

The file $HOME/.kube/config is created by default,do

kubectl get nodes

Deploying and accessing multiple clusters

You can specify different names for different clusters

kind create cluster --config config.yaml --name <your_cluster_name>

This clusters can be managed by using the configuration file that can be generated by using the command
<Cluster_config_filename> replace this parameter with a filename

kind get clusters \\ This will list all the clusters that are running

kind get kubeconfig --name <your_cluster_name> >> <Cluster_config_filename>

export KUBECONFIG=<Cluster_config_filename>

Now your kubectl is configured to use the specific cluster

There are various configurations that can be done while deploying a kubernetes cluster

A sample configuration file is given below
you can use these configuration to your advantage

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  # any feature gate can be enabled here with "Name": true
  # or disabled here with "Name": false
  "CSIMigration": true
runtimeConfig:
  "api/alpha": "false"
networking:
  # network configuration for nodes 
  ipFamily: ipv6
  apiServerAddress: "127.0.0.1"
  apiServerPort: 6443
  podSubnet: "10.244.0.0/16"
  serviceSubnet: "10.96.0.0/12"
  disableDefaultCNI: true
  kubeProxyMode: "ipvs"
nodes:
# one node hosting a control plane
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "my-label=true"
- role: worker
  extraMounts:
  # with the extraMounts parameter one can attach persistent volume to the node 
  - hostPath: /path/to/my/files/
    containerPath: /files
  extraPortMappings:
  - containerPort: 80
    hostPort: 80
    # optional: set the bind address on the host
    # 0.0.0.0 is the current default
    listenAddress: "127.0.0.1"
    # optional: set the protocol to one of TCP, UDP, SCTP.
    # TCP is the default
    protocol: TCP
- role: worker
  kubeadmConfigPatches:
  - |
    kind: JoinConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "my-label2=true"
- role: worker
  image: kindest/node:v1.16.4@sha256:b91a2c2317a000f3a783489dfb755064177dbc3a0b2f4147d50f04825d016f55

The deployment gets ready in much easier and faster way you can save the docker image and copy it to your local machine for further use.