K
Q

Expose ingress path inside cluster but not on public?

3/17/2019

I have a pod that has following chart:

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    // ...
  paths:
    - /api/myservice

My pod exposes api and additionally a /prometheus endpoint that is accessible through /api/myservice/prometheus.

I would like to have prometheus visible inside my cluster but not from /api/myservice/prometheus. How I can achieve that?

-- pixel
kubernetes
kubernetes-helm
kubernetes-ingress
nginx-ingress

Similar Questions

Unable to setup kubernetes ingress-nginx
Kubernetes pods is in status pending state
what k8s take into account at the time to assing pods to a node?
Docker image to be reread by kubernetes google cloud
Kubernetes pods cannot be reached from host but can be reached from node
How to cordon a Kubernetes node using golang client
Nginx Ingress Error 413 Request Entity Too Large
container "" in pod "" is waiting to start: CreateContainerConfigError

4 Answers

3/18/2019

change the endpoint to point to your API. /api/myservice/my-api or use app-root annotation, to point to your api inside /api/myservice:

nginx.ingress.kubernetes.io/app-root: /path/to/my/app/root/dir

more details here: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rewrite

-- Abhi
Source: StackOverflow
3/17/2019

Best way to achieve this would be to remove the prometheus endpoint from ingress and if you are aware prometheus supports auto discovery using annotations on the service, configure prometheus for k8s auto discovery and then add annotations in you service yaml file. https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config

-- Akash Srivastava
Source: StackOverflow
3/20/2019

You can add an Ingress rule that redirects the endpoint to the default-backend:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: block
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - myapp.to
  rules:
  - host: myapp.to
    http:
      paths:
      - path: /metrics
        backend:
          serviceName: ingress-default-backend
          servicePort: 8080
-- Amityo
Source: StackOverflow
3/18/2019

If you just need internal access, I don't think you should put it into ingress. You could make use of the DNS Service together with Kubernetes cluster already.

If your prometheus service is running the same namespace as your working pod, you could use following address to access it.

http://prometheus-svc-name

If your prometheus service is running in a different namespace, you could use:

http://prometheus-svc-name.prometheus-namespace.svc.cluster.local

to access the service.

Update:

More clear about the question after comments.

You could write another rule to hide your /prometheus endpoint like this:

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    // ...
  paths:
    - /api/myservice => myservice
    - /api/myservice/prometheus => 404 default backend.

nginx-ingress will match the longest route first. It will route /api/myservice/prometheus to 404. See this documentation

-- Fei
Source: StackOverflow