Closed danbopes closed 6 years ago
setup node selector in service is the most direct way. Also another way is to get the node selector from the pods belong to service.
@hzxuzhonghu Setting up a nodeSelector in the service doesn't effect the load balancer rules. The load balancer still routes to all 3 nodes, and traffic from the non-front end nodes, are simply routed to the front-end nodes in the proxy layer. A ddos attack could still bring them down.
Yes. not just add selector, but also set up the selected node to LB. In this way, traffic from outer would not affect backend nodes. By the way, there are many methods to prevent ddos in front.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
@danbopes What about setting externalTrafficPolicy=Local
on Service and force LB to only forward traffic to the nodes that have your frontend pods running?
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten /remove-lifecycle stale
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature /sig network
What happened: When I setup a loadbalancer to my frontend service, I notice it's forwarding traffic to each of my nodes. In case of possible DDoS attack, I'd like the front end nodes to be isolated to prevent the back end nodes from being overloaded as well.
What you expected to happen: When setting up a LoadBalancer service, I should be able to setup a nodeSelector (Or it should read from the deployment associated with the service), and understand what nodes should receive traffic, and only route to nodes of that type.
Anything else we need to know?:
Environment:
kubectl version
): v1.6.6