I am a Kubernetes and sort of Docker newbie. I have an unsecured (no authentication, etc) elasticsearch container (a statefulSet) that is set up with a particular schema. This is a backend service. I have a second container (as a regular pod/Deployment) that contains a REST service which is the only thing that should be communicating with the elasticsearch container.
I understand the basics of Kubernetes pods, deployments, statefulSets, and services used to expose them. Without having to set up authentication for elasticsearch, is there an easy/clever way to configure these two containers so that no other pod’s applications can DIRECTLY utilize the elasticsearch container (only the REST service container)?
I’ve seen the notion of a multi container pod so I was considering making the elasticsearch container a sidecar to the REST service container that communicates for it. But this might be impossible because the ES container is a statefulSet and the other is not?
Is there another way that could involve each being a separate pod?
Any insights would be appreciated.
You are basically looking for network policy that should be in the namespace your pods are deployed. Have a look at the example in this section.
Indeed, create it as a multi-container pod where your REST service will be exposed as a k8s service but will be able to talk to elasticsearch container without exposing it externally.
You can optionally just add your REST container to the statefulSet. statefulSet is essentialy a pod + storage, hence your pod in this statefulSet can be a multi-container pod.