K
Q

Change Kubernetes Instance Template to open HTTPS port

3/5/2019

I was using NodePort to host a webapp on Google Container Engine (GKE). It allows you to directly point your domains to the node IP address, instead of an expensive Google load balancer. Unfortunately, instances are created with HTTP ports blocked by default, and an update locked down manually changing the nodes, as they are now created using and Instance Group/and an Immutable Instance Template.

I need to open port 443 on my nodes, how do I do that with Kubernetes or GCE? Preferably in an update resistant way.

enter image description here

Related github question: https://github.com/nginxinc/kubernetes-ingress/issues/502

-- Ray Foss
google-compute-engine
kubernetes

Similar Questions

Kubernetes showing Image Pull Error while scheduling pods
K8s: why is there no easy way to get notifications if a pod becomes unhealthy and is restarted?
How to change the response of rest contolloer during runtime
Why does my Dask client show zero workers, cores, and memory?

3 Answers

3/6/2019

If I understand correctly, if nodes can be destroyed and recreated themselves , how are you going to rest assured that certain service behind port reliably available on production w/o any sort of load balancer which takes care of route orchestration diverting port traffic to new node(s)

-- AnilR
Source: StackOverflow
3/7/2019

You can do everything you do on the GUI Google Cloud Console using the Cloud SDK, most easily through the Google Cloud Shell. Here is the command for adding a network tag to a running instance. This works, even though the GUI disabled the ability to do so

gcloud compute instances add-tags gke-clusty-pool-0-7696af58-52nf --zone=us-central1-b --tags https-server,http-server

This also works on the beta, meaning it should continue to work for a bit. See https://cloud.google.com/sdk/docs/scripting-gcloud for examples on how to automate this. Perhaps consider running on a webhook when downtime is detected. Obviously none of this is ideal.

Alternatively, you can change the templates themselves. With this method you can also add a startup to new nodes, which allows you do do things like fire a webhook with the new IP Address for a round robin low downtime dynamic dns.

Source (he had the opposite problem, his problem is our solution): https://stackoverflow.com/a/51866195/370238

-- Ray Foss
Source: StackOverflow
3/5/2019

Using port 443 on your Kubernetes nodes is not a standard practice. If you look at the docs you and see the kubelet option --service-node-port-range which defaults to 30000-32767. You could change it to 443-32767 or something. Note that every port under 1024 is restricted to root.

In summary, it's not a good idea/practice to run your Kubernetes services on port 443. A more typical scenario would be an external nginx/haproxy proxy that sends traffic to the NodePorts of your service. The other option you mentioned is using a cloud load balancer but you'd like to avoid that due to costs.

-- Rico
Source: StackOverflow