Closed gothub closed 3 years ago
The more I read about NodePort the less I'm convinced it'll work within our constraints, primarily due to the insecurities with it (whitelisting IPs) and the number of hoops to jump though to try and remedy them. From what I can tell it looks like the LoadBalancer type would be better (if we have a load balancer) since we can set source IP ranges. If we can use the ingress controller in front of the NodePort to handle the restrictions, that might work.
@ThomasThelen the ingress controller we are using works with "ClusterIP" based services, IIRC, and these are not addressable outside the cluster's internal network, so rely on the ingress controller for routing.
If you have ideas on a different solution, please post here.
It sounds like we're cornered into using a NodePort because that's the only config option left which allows us to expose the service (and we can still cleanlist IPs with the ingress controller)
For our bare-metal k8s installation, we use an ingress controller that creates a NodePort.
It appears that behind the scene, k8s uses iptables to allow all traffic to all services that create NodePorts, independent of any ufw entered 'ALLOW' rules. The rational behind this may be to allow health checks.
On our dev k8s control node:
I believe that the ingress controller is secure, as URLs it doesn't know how to route are 'dumped' into a backend server that just displays a 404 error page.
So, we need to consider if making other services or UIs using NodePorts available on other ports is secure and desirable.