I have a Docker image which runs a python subprocess, which is a node.js server exposing an end point /check. The whole thing is put inside a Kubernetes pod and uses /check as the readinessProbe endpoint.
Now at some point, I want to close this endpoint or force-fail all the requests coming at it. Ideally, I want to do this via higher-level entities (i.e. Kubernetes lifecycle hooks) so as not to touch the lower-level implementation (such as opening a new endpoint /stop that switch some boolean flag and force the /check to fail)
Is that possible at all? If not, what is the best alternative?
Is that possible at all? If not, what is the best alternative?
I believe there are a few:
Requests to /check coming from kubernetes will come from the Node's SDN IP address (so if a Node's SDN subnet is 10.10.5.0/24, then requests will come from 10.10.5.1), so you could permit the checks from the .1 of the /24 assigned to the Pod
The httpGet readinessProbe allows httpHeaders: so you could turn on HTTP Basic auth for /check and then put the - name: Authentication value: Basic xxyyzz== in the httpHeaders:
Add a 2nd container to the Pod that runs haproxy and filters /check requests to return 401 or 404 or whatever you want. Since all containers in a Pod share the same networking namespace, configuring haproxy to speak to your node.js server will be super trivial, and your readinessProbe (as well as liveliness) can continue to use the URL because only kubernetes will have access to it by using the non-haproxy container's port. To complete that loop, point the Service at the haproxy container's port.