Setting up internal service on GKE without external IP

6/2/2019

I am new to GKE and kubernetes. I installed elastic search on GKE using Google Click to Deploy. I also installed nginx-ingress and secured the elasticsearch service with HTTP basic authentication (through the ingress). I created an external static IP and assigned it to the ingress controller using the loadBalancerIp field in the ingress-controller service configuration.

Questions:

  1. I have appengine services running in GCP which need to access this elasticsearch setup. Can I avoid exposing my elasticsearch service outside - with some kind of an "internal" IP which only my appengine services can access? Is using VPC one of the ways of doing this?
  2. I see that my ingress was also assigned an external IP address (the static IP I created was assigned to the nginx-ingress-controller service). However, when I hit this IP on port 80, I get connection refused and on 9200 port, it times out. Can I avoid having two external IPs? How secure is this ingress IP address? What are its open ports?

Here is my ingress configuration:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required - ok
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-type: basic
  name: basic-ingress
  namespace: default
 spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: elasticsearch-1-elasticsearch-svc
          servicePort: 9200
        path: /

Here is the ingress controller service configuration:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx-ingress
    chart: nginx-ingress-1.6.15
    component: controller
    heritage: Tiller
    release: nginx-ingress
  name: nginx-ingress-controller
  namespace: default
spec:
  clusterIP: <Some IP>
  externalTrafficPolicy: Cluster
  loadBalancerIP: <External IP>
  ports:
  - name: http
    nodePort: 30290
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    nodePort: 30119
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app: nginx-ingress
    component: controller
    release: nginx-ingress
  sessionAffinity: None
  type: LoadBalancer
-- Krishna Chaitanya P
google-cloud-platform
google-kubernetes-engine
kubernetes

1 Answer

6/2/2019

My suggestion is to use 2 load balancer, 1 for public and 1 for private. To create private load balancer you just need to add following line in metadata section

cloud.google.com/load-balancer-type: "Internal"

Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing

-- Ilham Sulaksono
Source: StackOverflow