Allow IP-based routing via Linkerd

[junoriosity]

Hi everyone, for some services like Stripe, it makes sense to enforce maximum security. Among other things, this can be done by restricting the IP range that is allowed to interact with Stripe via a given API key.

Now, when I have a Kubernetes cluster from Digitalocean, that can autoscale, we will have new nodes with dynamically allocated external IPs. When a pod connects is running on that new node, it cannot interact with, say, Stripe, anymore, because the external IP of the new external IP is likely not known to Stripe.

My question is now: Is that somehow possible to overcome via Linkerd? If so, do you have an example?

[alpeb]

Hi, this doesn't sound like something I would address with linkerd. What I would do is have a single service responsible for interacting with Stripe servers, backed by a workload with an affinity for a known set of nodes, whose IPs you'd white-list in Stripe's config.