search

digitalocean / digitalocean-cloud-controller-manager

Kubernetes cloud-controller-manager for DigitalOcean (beta)
Apache License 2.0
527 stars 149 forks source link

Question on how to access cluster through NodePort #140

Closed johndatserakis closed 5 years ago

johndatserakis commented 6 years ago

Hi there - beta DO Kubernetes user here - love the ease of use in setting up the cluster.

One thing that I was having trouble with was accessing the cluster at a NodePort. Sorry for the ignorance.

I've been using k8s on DO for a while now with my own droplets. I use 1 master and 2 nodes. What I'll do is have a service that exposes a specific NodePort, which I can then access by visiting $DROPLET_IP:$NODEPORT in the browser. I can do that with the IP's of any of the nodes in the cluster. Works great. I can even spin up a load balancer and point a domain to that exact port.

With the DO k8s beta - the host url I'm given cannot be used the same way. It just gives an error when I try to access it at the port: $HOSTURL:$NODEPORT.

I see that the docs mention to use the host url and not the IP's because the IP's can change. That's fine. But how can I access the NodePort in this case? Below is the example of a service that works great with my own cluster:

apiVersion: v1
kind: Service
metadata:
  name: $appName
  namespace: $appName
spec:
  type: NodePort
  ports:
  - port: 4000
    nodePort: 30001
  selector:
    app: $appName
    tier: backend

Also, when trying to access AWS RDS from my cluster, I need to set up firewall access in my RDS dashboard - so what do I put for the IP's of the droplets in my cluster so they are let through? Is the host something I can use here? It is the value I have to put in the Source field below. I guess it the main question I have is how to provide the server's IP Address to various services that need it.

screen shot 2018-10-22 at 10 20 23 am

Thank you

andrewsykim commented 5 years ago

@johndatserakis sorry for the super later response, I missed this in my inbox :(. Which host urls are you referring to exactly? I don't think there are any at the moment that point to each droplet.

johndatserakis commented 5 years ago

Hey @andrewsykim - no problem! Although I did have to back out of the beta for now unfortunately and go back to my own K8s setup on DO.

The $HOSTURL I'm referring to is the url that is provided from DO after creating the cluster. For example, it makes an appearance in the clusters -> cluster -> server property of the config.yml. Looks something like: https://XXXXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX.k8s.ondigitalocean.com.

  1. Question is - how to access a NodePort using that host? With my custom DO K8s setup, I just access a set NodePort right at my master's IP like this: $DROPLET_IP:$NODEPORT. How do you use NodePort with the DO K8s beta? $HOSTURL:$NODEPORT doesn't work.

  2. Some services need physical IP Addresses to allow whitelisting - like AWS RDS does in the example I put above. Because the IP Addresses are dynamic, how do you handle something like that? Is it the Nodes that have dynamic IP's and not the Master? If you do not come in contact with this issue in your personal use, could you perhaps provide some direction on what works for you - to say, connect to external databases from your apps?

Thank you - appreciate the work on this!

peterver commented 5 years ago

@johndatserakis You could always run kubectl with the kubeconfig from your k8s cluster on digitalocean and then start a port forward to the nodeport on a local port ? I always do this if I want to connect to our galera cluster or mongo replset :)

To get the kubeconfig from digitalocean : https://www.digitalocean.com/docs/kubernetes/how-to/connect-with-kubectl/

And then locally you could do something like this : 

kubectl --kubeconfig PATH_TO_YOUR_KUBECONFIG --namespace=NAMESPACE_THAT_YOUR_POD_IS_IN port-forward POD_NAME LOCAL_PORT:POD_PORT

For example to connect to a pod mysql_0 in namespace data and route it to a local port 9090 : 

kubectl --kubeconfig mylocalkubeconfig.yaml --namespace=data port-forward mysql-0 9090:3306

And then for example in mysqlworkbench you can connect with 127.0.0.1:9090

For more information on port forwarding: https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/

Hope this helps!

peterver commented 5 years ago

@johndatserakis In regards to whitelisting for ip addresses and getting 'static' ones for your services, take a look at floating ip addresses in DigitalOcean : https://blog.digitalocean.com/floating-ips-start-architecting-your-applications-for-high-availability/

They're very easy to setup, and don't cost you a dime unless you don't use them :)

peterver commented 5 years ago

@johndatserakis In regards to firewall access, you can also manage firewalls based on droplet tags. So potentially using a specific tag on droplets that need to be allowed access and then using that in the firewall rule could also ease management there?

johndatserakis commented 5 years ago

Thank you @peterver - I'll be sure to try the port-forward option soon. Thanks for your advice and help.

timoreimann commented 5 years ago

It looks like a solution to this issue has been found?

To complete the picture: in DOKS, both master and worker node IP addresses are currently subject to being rotated when machines get recycled / updated. An external process will need to ensure that consumers of host IP addresses receive updates as needed. (One way could be to use DNS and update the records when nodes change.)

Firewall-wise, NodePorts should be accessible by default.

I'll be closing this issue as CCM is not directly involved in the matter at hand. Thanks!

johndatserakis commented 5 years ago

Ok great. I went back to managing my k8s on DO manually - but I'll be sure to update my findings here as I attempt the solutions above. Thank you.