CIDR_1 및 CIDR_2: CIDR 형식의 IP 주소 범위입니다.
패킷이 대상으로 전송되면 클러스터가 IP 주소 소스를 매스커레이드하지 않고 소스 포드 IP 주소를 보존합니다.
CIDR이 3개 이상 필요하면 동일한 형식에 따라 destinations 목록에 항목을 더 추가합니다.
새 정책을 배포합니다.
kubectlcreate-fegress_nat_policy.yaml
Kubernetes 이벤트를 확인하여 정책이 배포되었는지 확인합니다.
kubectlgetevents
출력은 다음과 비슷합니다.
LAST SEEN TYPE REASON OBJECT MESSAGE
13s Normal EnsuringPolicy egressnatpolicy/mypolicy Ensuring IP masquerade config for policy "mypolicy"
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-06-18(UTC)"],[],[],null,["# Use Egress NAT Policy to configure IP masquerade in Autopilot clusters\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview)\n\n*** ** * ** ***\n\nThis page explains how to configure clusters created in the\nGoogle Kubernetes Engine (GKE) Autopilot mode to perform\n[IP masquerade](/kubernetes-engine/docs/concepts/ip-masquerade-agent) with the Egress NAT Policy.\n\nFor more information about IP masquerading in GKE Standard mode,\nsee [Configure an IP masquerade agent](/kubernetes-engine/docs/how-to/ip-masquerade-agent).\n\nOverview\n--------\n\nThe GKE *Egress NAT policy* lets you configure the IP\nmasquerade behavior for Autopilot clusters.\n\nGKE supports two automatically generated Egress NAT policies:\n\n- Managed by GKE that are fixed and are not editable.\n- Default policies that are editable.\n\nThis page shows you how to edit and deploy an Egress NAT policy by either editing the default policy or by creating an Egress NAT policy. This page also shows you how to delete a created Egress NAT policy.\n\nFor more information about Egress NAT policy behavior, see the [traffic\nmasquerade behavior for Autopilot clusters](/kubernetes-engine/docs/concepts/ip-masquerade-agent#egress-nat-policy).\n\nBefore you begin\n----------------\n\nBefore you start, make sure that you have performed the following tasks:\n\n- Enable the Google Kubernetes Engine API.\n[Enable Google Kubernetes Engine API](https://console.cloud.google.com/flows/enableapi?apiid=container.googleapis.com)\n- If you want to use the Google Cloud CLI for this task, [install](/sdk/docs/install) and then [initialize](/sdk/docs/initializing) the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running `gcloud components update`. **Note:** For existing gcloud CLI installations, make sure to set the `compute/region` [property](/sdk/docs/properties#setting_properties). If you use primarily zonal clusters, set the `compute/zone` instead. By setting a default location, you can avoid errors in the gcloud CLI like the following: `One of [--zone, --region] must be supplied: Please specify location`. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.\n\n\u003c!-- --\u003e\n\n- Ensure that you have an Autopilot cluster running version 1.23.4-gke.1600 or later, or 1.22.7-gke.1500 or later. Your cluster must have [GKE Dataplane V2 enabled](/kubernetes-engine/docs/how-to/dataplane-v2#create-cluster).\n\n- Ensure that your cluster has a workload running. For more information, see [how to request resources](/kubernetes-engine/docs/concepts/autopilot-resource-requests#how-to-request).\n\nCheck Egress NAT policy status\n------------------------------\n\nYou can check if your cluster is running the Egress NAT policy custom resource\ndefinition (CRD) by using the Google Cloud CLI tool:\n\n1. Get the credentials for your cluster:\n\n gcloud container clusters get-credentials \u003cvar translate=\"no\"\u003eCLUSTER-NAME\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of the cluster.\n2. Check if the Egress NAT policy is running:\n\n kubectl get crds egressnatpolicies.networking.gke.io\n\n If the Egress NAT policy is running, then the output is similar to the following: \n\n NAME CREATED AT\n egressnatpolicies.networking.gke.io 2022-03-16T21:05:43Z\n\n3. Get the list of the created Egress NAT policies:\n\n kubectl get egressnatpolicies\n\n The output is similar to the following: \n\n NAME AGE\n default 44h\n gke-bbfa6c0e-1 44h\n\nEdit the existing default policy\n--------------------------------\n\nGKE supports two automatically generated NAT policies, [default\npolicy](/kubernetes-engine/docs/concepts/ip-masquerade-agent#default-policy) and\n[managed by GKE policy](/kubernetes-engine/docs/concepts/ip-masquerade-agent#managed-by-gke-policy). The default policy is editable and it configures the [default non-masquerade destinations](/kubernetes-engine/docs/concepts/ip-masquerade-agent#default-non-masq-dests).\n\nTo edit the existing default policy, perform the following steps:\n\n1. Get the credentials for your cluster:\n\n gcloud container clusters get-credentials \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of your cluster.\n2. Edit the default Egress NAT policy:\n\n kubectl edit egressnatpolicies default\n\n3. Add or remove destinations with the NoSNAT action as a `cidr` attribute in\n [CIDR format](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).:\n\n apiVersion: networking.gke.io/v1\n kind: EgressNATPolicy\n metadata:\n name: default\n spec:\n action: NoSNAT\n destinations:\n - cidr: 10.0.0.0/8\n - cidr: 172.16.0.0/12\n - cidr: 192.168.0.0/16\n - cidr: 240.0.0.0/4\n - cidr: 192.0.2.0/24\n - cidr: 198.51.100.0/24\n - cidr: 203.0.113.0/24\n - cidr: 100.64.0.0/10\n - cidr: 198.18.0.0/15\n - cidr: 192.0.0.0/24\n - cidr: 192.88.99.0/24\n\n When packets are sent to these destinations, your cluster does not masquerade IP\n address sources and preserves source Pod IP addresses.\n4. Verify the edited default policy is deployed by checking the Kubernetes events:\n\n kubectl get events\n\n The output is similar to the following: \n\n LAST SEEN TYPE REASON OBJECT MESSAGE\n 13s Normal EnsuringPolicy egressnatpolicy/default Ensuring IP masquerade config for policy \"default\"\n\n Your changes might take up to three minutes to apply.\n\nDeploy a new Egress NAT policy\n------------------------------\n\nTo add new destinations with the NoSNAT action, you can use one of the following options:\n\n- You can [edit the existing default policy](#edit-default-egress-nat-policy).\n- You can create a new Egress NAT policy.\n\nTo create a new Egress NAT policy that is not part of the default policy, perform the following steps:\n\n1. Save the following manifest as `egress_nat_policy.yaml`:\n\n kind: EgressNATPolicy\n apiVersion: networking.gke.io/v1\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePOLICY_NAME\u003c/span\u003e\u003c/var\u003e\n spec:\n action: NoSNAT\n destinations:\n - cidr: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eCIDR_1\u003c/span\u003e\u003c/var\u003e\n - cidr: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eCIDR_2\u003c/span\u003e\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e: the name of your new policy.\n - \u003cvar translate=\"no\"\u003eCIDR_1\u003c/var\u003e and \u003cvar translate=\"no\"\u003eCIDR_2\u003c/var\u003e: the IP address ranges in [CIDR format](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). When packets are sent to these destinations, your cluster does not masquerade IP address sources and preserves source Pod IP addresses. If you need more than two CIDRs, add more entries to the `destinations` list following the same format.\n2. Deploy the new policy:\n\n kubectl create -f egress_nat_policy.yaml\n\n3. Verify your policy is deployed by checking the Kubernetes events:\n\n kubectl get events\n\n The output is similar to the following: \n\n LAST SEEN TYPE REASON OBJECT MESSAGE\n 13s Normal EnsuringPolicy egressnatpolicy/mypolicy Ensuring IP masquerade config for policy \"mypolicy\"\n\nDelete an Egress NAT policy\n---------------------------\n\nTo completely delete an Egress NAT policy, run the following command: \n\n kubectl delete egressnatpolicies \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e\n\nReplace \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e with the name the policy you want to\ndelete.\n| **Note:** We recommend that you do not delete the default Egress NAT policy because it contains the default ranges of CIDR that might be required for the cluster to preserve its operation. For more information about default the Egress NAT policy, see [Egress NAT automatically generated policies](https://cloud.google.com/kubernetes-engine/docs/concepts/ip-masquerade-agent#automatically_generated_policies)\n\nWhat's next\n-----------\n\n- [Learn how to create a VPC-native cluster](/kubernetes-engine/docs/how-to/alias-ips).\n- [Read the GKE network overview](/kubernetes-engine/docs/concepts/network-overview).\n- [Learn about configuring authorized networks](/kubernetes-engine/docs/how-to/authorized-networks)."]]