K
Q

How to create AWS Security Group that restricts inbound traffic only from Kubernetes on Google Cloud?

7/20/2019

AWS RDS Security Groups are great for restricting to specific IP addresses.

My Google Cloud deployment is an Ingress at a static IP. The Ingress points to one or several nodes. Those nodes have non-static IP addresses.

How do I restrict AWS RDS to only those nodes?

(Restricting to the Ingress IP would not, and does not, work.)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: xxxxx
  annotations:
    kubernetes.io/ingress.global-static-ip-name: xxxxx-ip
  labels:
    app: xxxxx
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: xxxxx
              servicePort: 3000
-- David Bernat
amazon-rds
amazon-web-services
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

Apache Ignite nodes deployed in the same kubernetes namespace do not join the same cluster
Kubernetes how to make Deployment to update image auto CI/CD
Installing Kubeflow without cluster admin privileges
Can test and production share the same cloud kubernetes environment?
Get variables of every deployment in cluster

1 Answer

7/21/2019

Google Kubernetes nodes are ephemeral and if enabled autoscale. This means that you cannot rely upon the IP address of a node or collection of nodes. At this time, Google does not support assigning a static pool of addresses to a GKE cluster.

There is an opensource project KubeIP which can help you solve this. I have not used this project on GKE, do your own research on viability for your project.

KubeIP

Don't forget that you will be charged for allocated static IP addresses that are not assigned to a Google service (Load Balancer, Compute Engine, etc).

-- John Hanley
Source: StackOverflow