Exlusive client affinity

12/5/2018

I am aware that client affinity is possible for a LoadBalancer type service in Kubernetes. The thing is that this affinity doesn't forbid that two different clientes access the same pod.

Is it possible to associate a pod exclusively always to the same client?

Thanks in advance and have a really nice day!

--
affinity
client
ip
kubernetes
pod

3 Answers

12/5/2018

No, this would imply that you’re running one copy of the service for every client which is a very non standard way to do things so you’ll have to build it yourself.

-- coderanger
Source: StackOverflow

12/5/2018

Not exactly to a POD.

You can use session affinity based on Client IP, that is of course only if the Client IP is static and only one client per IP.

apiVersion: v1
kind: Service
metadata:
  name: wlp-service
  labels:
    app: wlp-service
spec:
  type: LoadBalancer 
  sessionAffinity: ClientIP
  ports:
  - port: 443
    targetPort: 7443
    name: https
  - port: 80
    targetPort: 7080
    name: http
  selector:
    app: POD_NAME

Second option is session affinity based on Cookies. This will work if there are several clients from the same IP, as cookies are stored locally on Client computer.

You will need to use an Ingress object and generate cookies. Your Ingress deployment will need to have:

Annotations:
  affinity: cookie
  session-cookie-hash:      sha1/md5/index #choose one
  session-cookie-name:      INGRESSCOOKIE #name used in cookie value

You can read more about those two way on Redirect your users to the same pod by using session affinity on Kubernetes by medium.com

If I'm not mistaken Session Affinity will work only if IPVS kernel modules are installed on the node before running kube-proxy.

Run kube-proxy in IPVS Mode

Currently, local-up scripts, GCE scripts, and kubeadm support switching IPVS proxy mode via exporting environment variables (KUBE_PROXY_MODE=ipvs) or specifying flag (--proxy-mode=ipvs). Before running IPVS proxier, please ensure IPVS required kernel modules are already installed.

ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4

Finally, for Kubernetes v1.10, feature gate SupportIPVSProxyMode is set to true by default. For Kubernetes v1.11, the feature gate is entirely removed. However, you need to enable --feature-gates=SupportIPVSProxyMode=true explicitly for Kubernetes before v1.10.

Please check this StackOverflow question Is it possible to route traffic to a specific Pod?, also you can read more about IPVS on IPVS-Based In-Cluster Load Balancing Deep Dive

-- Crou
Source: StackOverflow

12/5/2018

To only allow a specific external client/s to access a specific Pod/Deployment you can use whitelisting/source ranges. Restrictions can be applied to LoadBalancers as loadBalancerSourceRanges. You add a section to the Service like:

  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 130.211.204.2/32  

But not all cloud providers currently support it.

Alternatively you could expose the Pod with an Ingress and apply whitelisting on the Ingress. For whitelisting with an nginx Ingress you can add annotation to the Ingress such as nginx.ingress.kubernetes.io/whitelist-source-range: 49.36.X.X/32

-- Ryan Dawson
Source: StackOverflow