.svg){kind=icon}
Connect to Private Kubernetes Services with the Netmaker Operator
Connect to Private Kubernetes Services with the Netmaker Operator
Overview
Accessing a kubernetes service from outside the cluster typically requires a public Ingress object, accessible over a public network. The Netmaker Operator utilizes a custom service object (Ingress Proxy Service) that makes private services accessible directly over a VPN.
By deploying Netmaker’s custom Ingress Proxy Service object within a namespace, administrators can make private cluster services accessible by users, devices, and resources located outside of the cluster, directly and securely via private IP or DNS.
Once deployed, administrators can configure access within the Netmaker console, specifying which users and resources have access to the private Kubernetes service.
How it Works
When you create a Kubernetes Service with Netmaker’s ingress annotations, the operator sets up an ingress proxy that listens on the Netmaker network and forwards traffic to your Kubernetes Service. Devices on the Netmaker network can then access your Kubernetes services using the Netmaker IP address or DNS name.
Once the Netmaker Operator is deployed on your cluster, configuration is easy. To configure a Service as an ingress proxy, simply add the following annotations:
metadata:
annotations:
netmaker.io/ingress: "enabled"
netmaker.io/ingress-dns-name: "my-app.netmaker.internal"
The rest of the Service definition should be configured normally, and the ingress proxy will forward traffic to it.
How Devices on a Netmaker Network Access Kubernetes Services
- A local device, running our VPN client, makes a network request to the service via the assigned private ingress proxy IP or DNS name (e.g. my-db.netmaker.internal).
- The Ingress Proxy pod receives the request over the private network.
- The Proxy forwards the request to the designated Kubernetes Service.
- The Kubernetes Service routes the request to your application’s pods.
- A Response follows the reverse path back to your local device.
Example: Exposing a Kubernetes Database
In this example, we expose a postgres database running on Kubernetes, using a Service with Netmaker’s ingress annotation.
apiVersion: v1
kind: Service
metadata:
name: my-db-service
namespace: default
annotations:
netmaker.io/ingress: "enabled"
netmaker.io/ingress-dns-name: "my-db.netmaker.internal"
spec:
ports:
- name: postgres
port: 5432
targetPort: 5432
protocol: TCP
selector:
app: postgres
type: ClusterIP
Once the Service is created, devices on your Netmaker network can access the Kubernetes service:
Using the Private IP Address Created by Netmaker:
psql -h 10.0.0.50 -p 5432 -U postgres # Using the ingress proxy's Netmaker IP
Using a DNS Name (if configured):
psql -h my-db.netmaker.internal -p 5432 -U postgres # Using assigned DNS name
Conclusion
The Netmaker Operator provides a new way to connect to services on Kubernetes which is both private and secure. By adding a simple annotation to your Kubernetes services, you can give developers and administrators the access they need, without having to expose these services insecurely over a public network.
To learn more about the Netmaker Operator, visit our docs and the GitHub repository.
.svg)