Kubernetes pod as a bastion host – Java Code Geeks


In Cloud Native applications, private networks, databases and services are a reality.

An infrastructure can be completely private and only a limited number of entry points can be available.

Obviously, the smaller it is, the better.

There are still cases where no infrastructure has been put in place for private services and the means to connect to them. However, if there is access through Kubernetes, HAProxy can help.

HAProxy can accept a configuration file. It will be easy to download this file as a configmap and then mount the configmap on a Kubernetes pod. Then the HAProxy Kubernetes pod will be able to start using this configuration and thus establish a proxy connection.

Let’s start with the ha-proxy configuration. The target would be a MySQL database with a private IP.

apiVersion: v1
  haproxy.cfg: |-
        timeout client          30s
        timeout server          30s
        timeout connect         30s

    frontend frontend
        default_backend backend

    backend backend
        mode                    tcp
        server upstream
kind: ConfigMap
  creationTimestamp: null
  name: mysql-haproxy-port-forward

Upstream we just add the ip and the database port, on the frontend we specify the local port and the address we will use.

By doing the above, we have a way to mount the config file on our Kubernetes pod.

Now let’s create the pod

apiVersion: v1
kind: Pod
  creationTimestamp: null
    run: mysql-forward-pod
  name: mysql-forward-pod
    - command:
      - haproxy
      - -f
      - /usr/local/etc/haproxy/haproxy.cfg
      - -V
      image: haproxy:1.7-alpine
      name: mysql-forward-pod
      resources: {}
        - mountPath: /usr/local/etc/haproxy/
          name: mysql-haproxy-port-forward
  dnsPolicy: ClusterFirst
  restartPolicy: Always
    - name: mysql-haproxy-port-forward
        name: mysql-haproxy-port-forward
status: {}

In the volume section, we define the configmap as a volume. In the container section, we mount the configmap on a path thus having access to the file.
We use a HAProxy image and provide the command to start HAProxy using the file we mounted before.

To test that this works, use a kubectl session that has port forwarding permissions and do

kubectl port-forward  mysql-forward-pod 3306:3306

You will be able to access mysql from your local host.

Posted on Java Code Geeks with the permission of Emmanuel Gkatziouras, partner of our JCG program. See the original article here: Pod Kubernetes as a bastion host

The opinions expressed by contributors to Java Code Geeks are their own.


Source link