I have a phpmyadmin service running on kubernetes cluster. I want to reserve an External IP (static) on google cloud to use with this service so that it could be reachable from the internet.
I have tried reserving an IP address on GCP and used it in the kubernetes service file as below:
apiVersion: v1
kind: Service
metadata:
annotations:
kompose.cmd: /snap/kompose/19/kompose-linux-amd64 convert
kompose.version: 1.21.0 (992df58d8)
creationTimestamp: null
labels:
io.kompose.service: phpmyadmin
name: phpmyadmin
spec:
externalIPs: [xx.xxx.xxx.xxx] #the external IP from Google cloud
ports:
- name: "8080"
port: 8080
targetPort: 80
selector:
io.kompose.service: phpmyadmin
status:
loadBalancer: {}
When I specify the spec.type: LoadBalancer then the service is accessible from the internet with the default IP address that is generated from the type: LoadBalancer .
I tried to change firewall rules for the External IP address by allowing Ingress on port 8080, but that did not work.
2
Answers
Firewall rules are applied at the Instance level. they cannot prevent traffic from reaching the Load Balancer itself.
Reference : https://cloud.google.com/load-balancing/docs/https/#firewall_rules
Your GKE LB service might be crating the HTTP Load balancer by default maybe you can checkout the NLB Load balancer : https://cloud.google.com/load-balancing/docs/choosing-load-balancer#summary-of-google-cloud-load-balancers
All port : https://cloud.google.com/kubernetes-engine/docs/how-to/service-parameters#all_ports
Example : https://spring-gcp.saturnism.me/deployment/kubernetes/load-balancing/external-load-balancing
Instead of setting the
exteranlIPs, you should set thespec.loadBalancerIPwith thespec.typebeing ofLoadBalancervalue:Note that exposing your Pods through an external static IP only supports regional load balanced traffic hence your reserved static IP address needs to be regional.
For a global IP address, you need to expose a HTTP(s) Load Balancer through an
Ingressobject.