2

I have two cluster in GCP.

  1. GKE cluster which has only postgres installed using Kubernetes.
  2. A dataproc cluster.

Now if i make the service of postgres as Internally load balanced to provide security i can access it using my VPN configurations .

But the problem got while accessing the Postgres from the dataproc cluster. The communication wasnt successful. Hence i had to made the postgres public load balanced.

I want suggestions here how we can achieve security here.? making database less accessible however it should be still accessible by Dataproc cluster.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
Nishchal Dinesh
  • 135
  • 13

1 Answers1

3

If you are using the LoadBancer to expose the service directly and not using the Ingress you can use the IP whitelisting option to Whitelist your Data Cluster IPs.

Example

apiVersion: v1
kind: Service
metadata:
  name: postgres
spec:
ports:
    - port: 8765
      targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerIP: 79.78.77.76
  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 130.211.204.2/32

You can add the Data cluster IPs (or the whole VPC subnet IP range in which the cluster is) in LoadBalancer service and only requests coming from cluster will be access the database.

Refer to the link for more information

Ingress

If you are using the ingress to expose the database

You can use the annotation :

ingress.kubernetes.io/whitelist-source-range

to whitelist the IPs

Dagang
  • 24,586
  • 26
  • 88
  • 133
Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • Thanks @Harsh., How do i get the dataproc cluster IP.? – Nishchal Dinesh Oct 20 '21 at 04:53
  • 1
    you can use the Node Ips those are the one which POD uses when your request is going out kubernets cluster. If you are running 4 node 4 IPs will be there. In this case scaling node may change the IP of node. You need to set the NAT to get single for whole cluster. – Harsh Manvar Oct 20 '21 at 04:55
  • As you are on GKE no need to worry just apply this NAT terraform and it will auto create the NAT gateway for you. : https://github.com/GoogleCloudPlatform/terraform-google-nat-gateway/tree/v1.2.3/examples/gke-nat-gateway – Harsh Manvar Oct 20 '21 at 04:56
  • Thanks @harsh for the details. Much helpful – Nishchal Dinesh Oct 20 '21 at 04:56
  • It is weird that the link provided in the answer links to a AWS EKS doc. – Dagang Oct 20 '21 at 16:09
  • @NishchalDinesh Your Dataproc cluster IPs are allocated from the VPC subnet of the region, you might want to whitelist the whole subnet IP range. – Dagang Oct 20 '21 at 16:12
  • @Dagang yeah at a time of pasting link i checked it's from AWS but for end user resolution of issue matter, plus i am not an employee of GCP so i forcefully have to use the GCP link. haha :) thanks for providing details on subnet part i missed it. – Harsh Manvar Oct 20 '21 at 16:25
  • @NishchalDinesh Understood, thanks for your answer! – Dagang Oct 20 '21 at 17:11