kubernetes NodePort vs ClusterIP with Nginx-Ingress

4/28/2020

I've got my own microservice and till now I've been exposing the service with type: NodePort along with nginx-ingress helm chart to my own Public IP with https; I've noticed when running linter on my microservice helm chart that it's not safe (to use NodePort) and I should be using ClusterIP - could someone explain why?

-- potatopotato
kubernetes

2 Answers

4/28/2020

If your cluster is set up so that the worker nodes are directly accessible from outside the cluster, then anything you have set as a NodePort-type service will be accessible too. In particular, this means that http://any-node.k8s.example.com:32345/ could reach your back-end service, bypassing any controls that you've set up in the ingress layer. You generally don't want that.

A reasonable approach here (and probably what your linter is encouraging) is to use NodePort or LoadBalancer-type services only for your ingress service. Anything else should register itself with that ingress service (using a native Kubernetes Ingress object, or an Istio VirtualService, or ...) but have ClusterIP-type services for intra-cluster access.

     +------------+  NP  +---------+ CIP  +-------------+
---> | (any node) | ---> | ingress | ---> | application |
     +------------+      +---------+      +-------------+
                 |__________________________^
      a NodePort application service would allow this path
                   (bypassing the ingress)
-- David Maze
Source: StackOverflow

4/28/2020

From security standpoint the ingress controller(nginx for example) only need to be exposed outside the cluster. This can be done either via NodePort or LoadBalancer or even running the ingress controller in the host network of some dedicated kubernetes nodes with public IPs. So any north-south traffic coming into the cluster from outside the cluster will have to passthrough the ingress controller.Any front facing services(a nodejs frontend app for example) should be exposed outside the cluster via ingress resource only to make sure any WAF, or TLS enforcement policy can be implemented at ingress controller. For east-west traffic between the front facing service and backend micro services within the cluster clusterIP service is recommended.

-- Arghya Sadhu
Source: StackOverflow