Kubernetes pod as a Bastion Host
In Cloud Native apps private networks, databases and services are a reality.
An infrastructure can be fully private and only a limited number of entry points can be available.
Obviously the more restricted the better.
Still there are cases where there has not been any infrastructure setup for the private services and ways to link towards them. however if there is access through Kubernetes, HAProxy can help.
HAProxy can accept a configuration file. Uploading that file as a configmap and then mount the configmap to a Kubernetes pod will be easy. Then the HAProxy Kubernetes pod will be able to spin up using that configuration and thus establish a proxy connection.
Let’s start with the ha-proxy configuration. The target would be a MySQL database with a private IP.
apiVersion: v1 data: haproxy.cfg: |- global defaults timeout client 30s timeout server 30s timeout connect 30s frontend frontend bind 0.0.0.0:3306 default_backend backend backend backend mode tcp server upstream 10.0.1.7:3306 kind: ConfigMap metadata: creationTimestamp: null name: mysql-haproxy-port-forward
On the upstream we just add the ip and the port of the db, on the frontend we specify the local port and address we shall use.
By doing the above we have a way to mount the config file to our Kubernetes pod.
Now let’s create the pod
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: mysql-forward-pod name: mysql-forward-pod spec: containers: - command: - haproxy - -f - /usr/local/etc/haproxy/haproxy.cfg - -V image: haproxy:1.7-alpine name: mysql-forward-pod resources: {} volumeMounts: - mountPath: /usr/local/etc/haproxy/ name: mysql-haproxy-port-forward dnsPolicy: ClusterFirst restartPolicy: Always volumes: - name: mysql-haproxy-port-forward configMap: name: mysql-haproxy-port-forward status: {}
On the volume section we set the configmap as a volume. On the container section we mount the configmap to a path thus having access to the file.
We use a HAProxy image, and we provide the command to start HAProxy using the file we mounted before.
To test that it works, use a kubectl session that has port-forward permissions and do
kubectl port-forward mysql-forward-pod 3306:3306
You shall be able to access mysql from your localhost.
Published on Java Code Geeks with permission by Emmanouil Gkatziouras, partner at our JCG program. See the original article here: Kubernetes pod as a Bastion Host Opinions expressed by Java Code Geeks contributors are their own. |