Kubernetes for securing service endpoints?

3/16/2019

So I have a very small micro service architecture built using Eureka service discovery. The problem I am facing right now is that I only want my service endpoints to accept request from my api gateway, as it is right now you can just make a request straight to the service and hit that service endpoint. Is this a problem Kubernetes would solve? Or Is there a more practical way of doing this?

-- matt
devops
kubernetes
microservices
netflix-eureka
spring

2 Answers

3/16/2019

You should be using network policies to control the traffic between the services.

-- P Ekambaram
Source: StackOverflow

3/16/2019

In kubernetes the services you want to expose internally use service type ClusterIP. This is default anyway which means services are accessible within cluster only. your api gateway is exposed as load balancer service type which then takes traffic from external world and talks to services internally. Depending on your cloud provider you can use firewall in front of load balancer since you can compromise security by simply exposing load balancer. e.g. azure kubernetes you could use application gateway. You can also replace the api gateway with ingress controller. it's very powerful reverse proxy controller which you can expose directly to traffic and that would talk to your services internally.

You really need to understand concepts so i would recommend following links

https://kubernetes.io/docs/concepts/services-networking/service/

https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d

-- Imran Arshad
Source: StackOverflow