SFTP server is not accessible when deployed to Kubernetes (GKE)

7/15/2019

SFTP server is not accessible when exposed using a NodePort service and an Kubernetes Ingress. However, if the same deployment is exposed using a Service of type LoadBalancer it works fine.

Below is the deployment file for SFTP in GKE using atmoz/sftp Dockerfile.

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: sftp
  labels:
    environment: production
    app: sftp
spec:
  replicas: 1
  minReadySeconds: 10
  template:
    metadata:
      labels:
        environment: production
        app: sftp
      annotations:
        container.apparmor.security.beta.kubernetes.io/sftp: runtime/default
    spec:
      containers:
        - name: sftp
          image: atmoz/sftp:alpine
          imagePullPolicy: Always
          args: ["user:pass:1001:100:upload"]
          ports:
            - containerPort: 22
          securityContext:
            capabilities:
              add: ["SYS_ADMIN"]
          resources: {}

If I expose this deployment normally using a Kubernetes Service of type LoadBalancer like below:

apiVersion: v1
kind: Service
metadata:
  labels:
    environment: production
  name: sftp-service
spec:
  type: LoadBalancer
  ports:
  - name: sftp-port
    port: 22
    protocol: TCP
    targetPort: 22
  selector:
    app: sftp

Above Service gets an external IP which I can simply use in the command sftp xxx.xx.xx.xxx command to get access using the pass password.

However, I try to expose the same deployment using GKE Ingress it does not work. Below is the manifest for the ingress:

# First I create a NodePort service to expose the deployment internally

---
apiVersion: v1
kind: Service
metadata:
  labels:
    environment: production
  name: sftp-service
spec:
  type: NodePort
  ports:
  - name: sftp-port
    port: 22
    protocol: TCP
    targetPort: 22
    nodePort: 30063
  selector:
    app: sftp

# Ingress service has SFTP service as it's default backend
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: basic-ingress-2
spec:
  backend:
    serviceName: sftp-service
    servicePort: 22
  rules:
  - http:
      paths:
      # "http-service-sample" is a service exposing a simple hello-word app deployment
      - path: /sample
        backend:
          serviceName: http-service-sample
          servicePort: 80

After an external IP is assigned to the Ingress (I know it takes a few minutes to completely set up) and xxx.xx.xx.xxx/sample starts working but sftp -P 80 xxx.xx.xx.xxx doesn't work.

Below is the error I get from the server:

ssh_exchange_identification: Connection closed by remote host
Connection closed

What am I doing wrong in the above set-up? Why does LoadBalancer service is able to allow access to SFTP service, while Ingress fails?

-- Amit Yadav
google-cloud-platform
google-kubernetes-engine
kubernetes
kubernetes-ingress
sftp

1 Answer

7/15/2019

That's currently not fully supported to route in Kubernetes Ingress any other traffic than HTTP/HTTPS protocols (see docs).

You can try to make some workaround as described there: Kubernetes: Routing non HTTP Request via Ingress to Container

-- Jakub Bujny
Source: StackOverflow