K
Q

Is it possible to map different pods/services to different node's interfaces in Kubernetes?

2/21/2020

I'm trying to build a basic frontend-backend topology in Kubernetes (Amazon EKS actually) with both frontend and backend pods residing on the same node. I want every node to have 2 interfaces: public one, that will connect to internet gateway, and private one, that won't. So it would seem natural to somehow map frontend pods (or service) to the public interface to route traffic to/from the internet and map backend pods to private interface to prevent any external access to them. Is it even possible in Kubernetes? I know that I probably should use public interfaces everywhere and resrict access with ACLs but design with different interfaces looks simplier and more secure to me.

-- etherman
amazon-eks
amazon-web-services
kubernetes

Similar Questions

Can a Spring Boot application make HTTP request to itself?
Access environment variables in webpack.js react in kubernetes environment
Is there a GUI available to upload files like "kubectl cp" does?
Janusgraph deployment on kuberntes with storage as Cassandra is giving Error : Configured Graph could not be instantiated

3 Answers

2/21/2020

It is possible in Kuberenetes. You need to create ingress or create a loadbalancer service for your frontend pods to access it from public interfaces. Do not create the same for backend pods. To restrict traffic from other pods to your backend and frontend pods, you can create network policy and allow traffic only between these pods.

To spawn pods on specific nodes, use nodeSelector or podAffinity. If you want one pod should run on each node or specific nodes then create daemonset for them.

-- anmol agrawal
Source: StackOverflow
2/21/2020

This is not usually how things work in Kubernetes. Pod IPs would always be "private", i.e. cluster IPs that are not used with the internet. You poke specific holes into the cluster IP space using LoadBalancer-type Services. In AWS terms, all pods have private IPs and you use ELBs to bridge specific things to the public network.

-- coderanger
Source: StackOverflow
2/21/2020

This is an overly complicated way to go about this.

Why don't you rather do the following:

  1. Provision your EKS cluster with a mix of public and private subnets
  2. Provision 'public' pods behind a service of type "LoadBalancer", configured to provision ELBS or NLBs in your public subnets.
  3. Provision private pods behind services of type 'ClusterIP' - and ensure the actual nodes of the eks cluster are provisioning in the private subnets of your vpc.

There is no good reason for your nodes to be exposed to the internet. Use a Loadbalancer as a cutout, and NAT gateways to ensure that your private subnets can reach the internet.

This limits your public api surface to those segments of the 'public' pods that are exposed in the public-facing services, while leaving the rest of your cluster dark.

Also,

I know that I probably should use public interfaces everywhere and resrict access with ACLs

is not a good idea. Use private interfaces everywhere, and ensure your nodes are not visible from the public internet. It is almost never a good idea to have a server reachable from the internet as a whole - it exposes you to all sorts of attacks which will be mitigated against by NAT, LoadBalancers or other intermediary systems.

-- mcfinnigan
Source: StackOverflow