google-compute-engine,google-kubernetes-engine"/>
  • 7
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

We have a pod which acts as an SFTP server and needs to be exposed on port 22. It must be port 22 to give a seamless transition from our old infrastructure. This pod must be exposed externally, accessible from everything (ie 0.0.0.0/0). Port 22 is blocked on our GCP networks except for specific VMs for compliance, and this block covers our k8s nodes.

The three solutions we came up with, none of which we want to implement, were:

  • Using the cluster as the target tag, expose the entire cluster (too risky/compliance)
  • Limit the pod to one node, and expose only that node (no redundancy)
  • Create a new node pool specifically for this service, and expose only that node pool (has redundancy but expensive)

Is there any way that I haven't listed above in which we can expose this pod/loadbalancer without exposing other parts of the network?

When you expose your pod, or deployment, you do so with a service. For your use case, you will want to use a service type LoadBalancer which will create an external endpoint (external IP) and a corresponding GCE Network Load Balancer. Traffic will then be forwarded from the Load Balancer to the Node Port (in the 30000 range) which will then have traffic forwarded to the target port, which in your case is port 22.

What this means is that the pod is exposing port 22 but the GKE node (GCE VM) is exposing port 30xxx. GKE will handle creating the appropriate firewall rule for you.

Additionally, if you are concerned with security, you can also filter traffic based on source ranges

  • 0
Reply Report
      • 1
    • I'm aware of having to use a LoadBalancer service. And as mentioned in OP, the source range must be 0.0.0.0/0, so limiting the source range won't be much help. Furthermore, the port as exposed to the internet needs to be 22. People need to connect on port 22. We can't hide or use a different port - using the node port as you're suggesting would do this.
      • 2
    • You can use LoadBalancer to expose port 22, however, this won't actually expose port 22 on any nodes and thus won't cause a security risk.
      • 1
    • Little late to the party but might help someone, what @GNewbury said is the best approach for your needs, the NodePort will be on 30000-32767 range but this is only how it works behind the scenes, by using a LoadBalancer service type you are exposing your pod port 22 only to the internet with pod redundancy (if implemented) and with no new node pool as you wanted.

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags