0

I have multiple services running across nodes.

I want to be able to query a postgres db from the pods of these services - This postgres db will only allow connections from whitelisted IPs - I will need to share a static IP with the admin of postgres db to be able to connect to it.

How can I ensure that no matter which node my pod is on, I can connect to the postgres db using a predefined static IP?

My current set up is :

NGINX INGRESS (Static IP) --> host based routing to certain services.

123.abc.com --> Service A --> Pod A --> Node A --> External IP A

456.abc.com --> Service B --> Pod B --> Node B --> External IP B

Pods of these services get external IP of the node they are on. Services are of type NodePort.

__ Possible Solution :

I am now trying to set up a common service - Service Postgres - that will query the Postgres DB. All other services will just query postgres service explicitly everytime they want to access postgres.

I assigned an External IP to the Service. But the pod queries from the IP of the node. It seems the external IP in the load balancer is for incoming requests? How do we assign a fixed IP to outgoing requests?

Community
  • 1
  • 1
crossvalidator
  • 437
  • 6
  • 12
  • did you consider assigning static podIPs to those pods – wineinlib Jun 04 '20 at 03:25
  • I want just one static IP to represent many services - The admin of the postgres db does not want to whitelist multiple IPs for me. I can associate a static IP with one service. But don;t know how to get other services to also be on that IP. – crossvalidator Jun 04 '20 at 11:42
  • `Pods` have only internal IPs and `services` are designed for ingress usage. You can add [taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) so all the pods that access postgres are deployed on the same node and and you can add the node IP to the postgres db. It's not perfect scenario but could work. If you'd like I can provide you an example configuration with this affinity rules. – Will R.O.F. Jun 04 '20 at 15:42
  • That wouldn't work for my use case. Yes, I meant to say multiple services sharing the same static IP - not multiple pods. There could be dozens of services on dozens on nodes at scale - and all of them need to communicate with a postgres db using a whitelisted IP. – crossvalidator Jun 04 '20 at 17:26
  • May be there is such a thing as a proxy server in K8s? Can multiple services all pretend to originate from the same static IP when interacting with the outside world? (or at least postgres?) – crossvalidator Jun 04 '20 at 17:30

1 Answers1

2

Outgoing IP for pods in K8s - Question on Stackoverflow

The answers on that question are satisfactory.

  1. Create a helper service that talks to PostgreSQL. Schedule it on a specific node in a new node pool using node selector. Assign that node a static IP using the steps mentioned in the above link. (haven't tested this step yet) (KubeIP seems like a neat solution for this)

  2. Use NAT Gateway in GKE in a private cluster. NAT Gateway GKE

1st option seems easier to implement, 2nd one is more generic.

crossvalidator
  • 437
  • 6
  • 12
  • If you consolidate all queries behind a single CloudNAT, be aware that theres a two minute cool down before ports can be reused. To achieve scale, might want to allocate additional ip addresses or increase the minimum number of ports - https://cloud.google.com/nat/docs/ports-and-addresses#ports-reuse-tcp – victoryNap Jun 05 '20 at 14:15
  • Thank you for sharing. Didn't know about that. Makes me want to go with option 1 even more. With KubeIP, it's pretty easy to maintain a few nodes with static IPs. – crossvalidator Jun 05 '20 at 18:34
  • Its easy to provision additional IP's and expand their available ports for the CloudNAT, I would just be conscious of how you log, in case you run into anything. Not sure if this is the case with KubeIP, but another downside is requiring a private cluster, becomes a PIA if you run a hosted CI/CD pipeline. – victoryNap Jun 05 '20 at 19:27