K
Q

Make services accessible only from Private network Kubernetes

2/13/2018

I have received a public ip address for my kubernetes service which i can configure as a loadbalancer ip in my NGINX ingress. This public ip address can be accessed from public internet.

Is there a way or some configuration through which i can make these services accessible only from my client network in kubernetes?

-- Anil Kumar P
docker
kubernetes
nginx

Similar Questions

Does GKE support nginx-ingress with static ip?
Hawkular Metrics not available on Openshift
Unable to access Spring Boot microservice exposed via nginx ingress controller on Kubernetes cluster running on AWS
Fabric8 unable to start on windows 10

3 Answers

2/13/2018

Using Network Policy is nice. But, a simpler approach would be use set ExternalIP of the nginx ingress controller to the IP address in the client network. This exposes the services only on the client network.

Below is the sample configuration for helm:

helm install --name my-ingress stable/nginx-ingress \
    --set controller.service.externalIPs=<IP address in client network>
-- Vikram Hosakote
Source: StackOverflow
2/13/2018

With Kubernetes Nginx Ingress it is as simple as setting an annotation on your ingress object like :

kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/whitelist-source-range: '8.8.8.8/32'

https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/annotations.md#whitelist-source-range

-- Radek 'Goblin' Pieczonka
Source: StackOverflow
2/13/2018

You can as suggested make use of the VPN and create an internal LoadBalancer or you can check the Network Policies that I consider that Kubernetes standard way to implement your solution.

By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace. The following examples let you change the default behavior in that namespace.

You will need to create a NetworkPolicy Resource, in the spec you will have to describe the behaviour making use of the available fields, I recommend you to check the official documentation to retrieve more info regarding the structure.

PolicyTypes:

  • ...

  • ingress: Each NetworkPolicy may include a list of whitelist ingress rules. Each rule allows traffic which matches both the from and ports sections. The example policy contains a single rule, which matches traffic on a single port, from one of three sources, the first specified via an ipBlock, the second via a namespaceSelector and the third via a podSelector.

  • ...

Keep in mind that in order to implement them you need to use a networking solution which supports NetworkPolicy, if you just create the resource without a controller to implement it will have no effect.

Example of policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978
-- GalloCedrone
Source: StackOverflow