Networking

STACKIT Kubernetes Engine (SKE) implements standard Kubernetes networking concepts with STACKIT-specific enhancements. This documentation explains:

• Project types: Public vs. STACKIT Network Area (SNA) configurations.
• IP management: Allocation rules for nodes, routers, and load balancers.
• DNS requirements: Resolution for public/private clusters.
• Load balancers: Expose services internally or publicly.
• Private clusters: Restrict access to the Kubernetes control plane.

Foreword

Your STACKIT project type determines the network setup for Kubernetes clusters on SKE. When creating a project, you choose between two configurations:

• Public: Internet-facing services with automatic public IP assignments.
• STACKIT Network Area: Allows projects within an organization to be connected to each other on a network level.

This initial choice affects:

• Egress traffic routing
• IP address management
• Integration with on-premise environments
• Compliance requirements

Public projects

STACKIT Kubernetes Engine clusters are internet-facing by default.

Key characteristics

• All egress traffic routes through a single router with a fixed public IPv4 address.
• Nodes do not receive public IPs (services use load balancers for external exposure).
• Automatic infrastructure provisioning (network, subnet, security groups, router).

Cluster creation

1. No network customization required.
2. The system:
   • creates a public IP from the STACKIT IP pool.
   • creates a dedicated router and assigns the public IP (IP persists for the cluster’s lifecycle).

SKE clusters in a public project automatically create their infrastructure, including a network, subnet, security groups, router and public IP. No customization steps are needed. The router receives an available IPv4 address from the STACKIT IP pool. This egress IP address remains fixed throughout the cluster’s lifecycle and cannot be changed. All egress traffic is routed through the router in your Kubernetes cluster using this IP address.

Egress IP address

To find the egress IP address for your cluster, you can use one of the following methods:

Via Portal

1. Visit the STACKIT Portal.

2. Select your project.

3. Navigate to Runtime > Kubernetes Engine.

4. Click on your cluster.

You can find the Egress IP on the cluster Overview page in the General information panel.

Via IaaS API

1. Use the ListNetworks endpoint to retrieve the network ID.

2. Use the GetNetwork endpoint and pass along the network ID.

The egress IP can be found under ipv4 in the publicIp field.

Via OpenStack CLI

1. List all OpenStack routers to find the one associated with your cluster:

   # The router is named `shoot--xyz-name`, where `name` is the cluster name
   openstack router list

2. Copy the router’s ID and use it to show more details:

   openstack router show <ID>

The egress IP can be found under external_fixed_ips.ip_address located in the external_gateway_info field.

SNA projects

The STACKIT Network Area enables private connectivity across projects and on-premise environments, supporting hybrid cloud scenarios.

Before you can set up a Kubernetes cluster on SKE in an SNA, you need to create the SNA itself within your Organization and a network. For more information, refer to Create and manage STACKIT Network Areas.

The following content will help you plan the configurations of these services for your cluster.

Configuration requirements

Take these requirements into consideration, before you start configuring your Kubernetes cluster on SKE within an SNA.

Network ranges (CIDR blocks)

You’ll need to define two network ranges via CIDR-notation:

Expand

Range Type	Purpose	Example CIDR
Network	Node & load balancer allocation	10.0.0.0/22
Transfer	Router IP allocation	192.168.0.0/24

Network size cannot be modified after creation. Kubernetes clusters in an SNA require a public DNS server to obtain internet access.

IP allocation

You’ll need to reserve the following number of IP addresses for operational purposes:

Expand

Resource	IPs Required
Node/VM	1 (per node/VM)
Load balancer	5 (per load balancer)
Router interface	1

After you’ve set up an SNA with a publicly resolvable DNS and subnets you can continue to set up your cluster. During setup, an SNA network must be selected, which will become the network for the cluster.

Private clusters

This feature is currently locked behind a feature flag and has not been released as GA (general availability) yet. Open a ticket with STACKIT Support to request access for your organization or project.

By default, your Kubernetes control plane is exposed to the public internet. This is equivalent to setting accessScope: "PUBLIC". If you set accessScope: "SNA" instead, your Kubernetes control plane will only be exposed within the SNA. This is called a private SKE cluster.

Limitations

Private clusters ("accessScope": "SNA") and the ACL extension ("acl": { "enabled": true }) are mutually exclusive. If you need the ACL extension, you can’t use a private cluster.

Read “How to enable private clusters” for more information.

Further information

Visit the following pages to dive deeper into specific topics related to SKE networking:

• Load balancing
• STACKIT Network Area (SNA)
• Create and manage STACKIT Network Areas