K
Q

hostnetwork pod - only 1 container should expose to the internet

5/20/2018

These are my first steps to the kubernetes world so excuse me if my terms are not used right etc. I am running a single node kubernetes setup without external loadbalancer and I have deployed a pod with to containers. One mysql database and a powerdns. Powerdns should expose port 53 to the internet while mysql should expose its port only in the cluster. Therefore I set the following:

"hostNetwork: true" for the pod
"hostPort" for the powerdns container and not for mysql

Service for port 3306 with "type: ClusterIP"

Now everything is running. Powerdns can connect to the mysql and is exposed on port 53 in the internet. But contrary to my assumption the mysql database is exposed to the internet too.

Could anyone give me a hint to what I am doing wrong?

-- Clark Nova
kubernetes
kubernetes-pod

Similar Questions

Use kubectl context in kubernetes client-go
Specify scheduling order of a Kubernetes DaemonSet
What is the recommended way to get the pods of a Kubernetes deployment?
Fluentd Matching tags
How do I forward port 80 to a service port 3000 using Traefik on K3s?
Can I autoscale Kind : Pod?
Deploy Docker app on Kubernetes or directly on EC2 instances?
Is there some kind of a lifecycle hook for Knative services?
Rewrite host and port for outgoing request of a pod in an Istio Mesh
Kubernetes - MinIO Failed to connect to console using browser
Loading secrets as ENV from init container
Gitlab: Unauthorized: Basic http basic access denied
Aks is not connecting with keyvault when autoscaling is enabled. We used aks pool identity for connecting Keyvault
Azure kubernetes - python to read configmap?
How to print Status fields defined in Kubebuilder to show up when using Kubectl
Helm function to set value based on a variable?

1 Answer

5/20/2018

Using hostNetwork: true allows your whole pod (all containers in it) to bind ports to the host, which you already identified as problematic.

First of all, you should consider to move the mysql container out of your pod. Using multiple containers is supposed to group containers working as one unit (e.g. an application and a background process closely communicating with each other).

Think in services. Your service PowerDNS is a service user itself as it requires a database, something the application PowerDNS doesn't provide. You want another service for MySQL. Take a look at the documentation (one, two) for StatefulSets as it uses MySQL as an example (running databases on Kubernetes is one of the more complex tasks). Create a ClusterIP service for this. ClusterIP services are only available from within the cluster (your database is an internal service, so that's what you want).

This way, your PowerDNS pod will only feature one container that you can bind to your host network. But using hostNetwork: true is not a good in general. You won't be able to create multiple instances of your application (in case PowerDNS scales), it's fine for first steps though. A load balancer in front of your setup would be better though. You can use NodePort services to make your service available on a high-values port which your load balancer proxies connections to.

-- embik
Source: StackOverflow