We have a SQL Server hosted on a cloud VPS and a kubernetes cluster hosted on Digital Ocean. I am using their kubernetes offering.
Our server the SQL Server sits on, has firewall rules to only allow whitelist IPs to connect to the SQL Server. So currently we add the IPs to each of the kubernetes nodes so they can each connect the the SQL Server.
This obviously isn’t scalable and is a challenge to maintain as any new node we have to add the IP to the firewall rule, etc…
I have been looking around at alternatives to this challenge, because I don’t think whitelisting kubernetes nodes is the right way to go. I also don’t think its very secure to open the server up to all IP’s and rely on authentication.
I have seen certificates can be used or a cloud proxy (however most of the proxy stuff is to so with Google’s platform, which isn’t relevant to us, our servers are just VPS’) I believe a proxy server sounds good, but I just wanted to hear some people’s opinions.
How is everyone else solving this issue?
Any feedback would be greatly appreciate 🙂
Advertisement
Answer
Whitelisting the subnet ranges is also not an option if you are running nodes in private subnets.
If you are running K8s on GKE or any other managed cloud provider like AWS you can create the NAT gateway so all requests will go outside via Single IP.
In a proxy server, you might face latency if a request gets redirected from the proxy server to the application.
Instead of creating a proxy the NAT gateway will forward all traffic from a single egress point would be a great approach to manage things.
If you are using GKE there is a ready IAC which you can apply and all your traffic will get forwarded from a single point IP.
IAC terraform: https://registry.terraform.io/modules/GoogleCloudPlatform/nat-gateway/google/latest/examples/gke-nat-gateway
You can refer this nice article : https://aviatrix.com/learn-center/answered-transit/how-do-i-make-all-outbound-traffic-appear-to-come-from-one-or-more-aws-ip-addresses/
A better approach is to put software defined solution in front of those worker VPCs that will provide a “central NAT” service.
If you are Digital ocean things might get harder to mange as they are not providing any option for the NAT & subnets ranges to configure, you have two options only.
- Use the affinity to schedule POD on a specific Node each time and whitelist Node IP into the database
- Create the Proxy instance and use that with the deployment and application will be using that
Read more at : https://www.digitalocean.com/community/questions/is-it-possible-to-have-a-static-outgoing-ip-in-kubernetes