I have been playing a little with Kubernetes and Docker Swarm as two alternatives for managing containers in a self-hosted solution. What I could not find a straight forward answer to, is how should I put a service behind a firewall in each of them.
From what I saw in Docker Swarm and also in Kubernetes (when using NodePort), eventually a service is exposed on the IP addresses of the hosts running in the cluster, and requests are being routed to the services running in the cluster, regardless of the host you hit.
Now suppose I want to put a service behind a firewall.I need an IP address to configure in the FW as the target IP address, right? I don't want to use any specific host IP address because eventually hosts may come and go, and I don't want a single host as a single-point-of-failure.
Any pointers are highly appreciated!
technically, what you put behind firewall is not your service, but a whole Kubernetes cluster. If you have a solid support for LoadBalancer type service, it will get exposed with some public IP, through the LB, hence traffic will pass Client > LB > ClusterNodes. As you see, all yopu need is to allow connections from load balancer to cluster nodes.
In some provisioners / environments you will get this kind of behaviour by default. For example KOPS, when provisioned with private topology, will put your cluster nodes in an internal network which is closed for connections from ourside world other then via LB (or bastion)