K
Q

Setting up internal service on GKE without external IP

6/2/2019

I am new to GKE and kubernetes. I installed elastic search on GKE using Google Click to Deploy. I also installed nginx-ingress and secured the elasticsearch service with HTTP basic authentication (through the ingress). I created an external static IP and assigned it to the ingress controller using the loadBalancerIp field in the ingress-controller service configuration.

Questions:

  1. I have appengine services running in GCP which need to access this elasticsearch setup. Can I avoid exposing my elasticsearch service outside - with some kind of an "internal" IP which only my appengine services can access? Is using VPC one of the ways of doing this?
  2. I see that my ingress was also assigned an external IP address (the static IP I created was assigned to the nginx-ingress-controller service). However, when I hit this IP on port 80, I get connection refused and on 9200 port, it times out. Can I avoid having two external IPs? How secure is this ingress IP address? What are its open ports?

Here is my ingress configuration:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required - ok
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-type: basic
  name: basic-ingress
  namespace: default
 spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: elasticsearch-1-elasticsearch-svc
          servicePort: 9200
        path: /

Here is the ingress controller service configuration:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx-ingress
    chart: nginx-ingress-1.6.15
    component: controller
    heritage: Tiller
    release: nginx-ingress
  name: nginx-ingress-controller
  namespace: default
spec:
  clusterIP: <Some IP>
  externalTrafficPolicy: Cluster
  loadBalancerIP: <External IP>
  ports:
  - name: http
    nodePort: 30290
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    nodePort: 30119
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app: nginx-ingress
    component: controller
    release: nginx-ingress
  sessionAffinity: None
  type: LoadBalancer
-- Krishna Chaitanya P
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.mydomain.com/xxx.git/': SSL certificate problem: unable to get issuer certificate
Container in dind access another container in the same Kubernetes pod
Running Kubernetes across cloud providers
How to move k3s' ingress to another port
Only one redis node is handling all the load
Unable to connection to mongodb container running on EKS cluster using pymongo
kubernetes error: [ERROR][23511] customresource.go 136: Error updating resource Key=IPAMBlock

1 Answer

6/2/2019

My suggestion is to use 2 load balancer, 1 for public and 1 for private. To create private load balancer you just need to add following line in metadata section

cloud.google.com/load-balancer-type: "Internal"

Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing

-- Ilham Sulaksono
Source: StackOverflow