Synopsis
It is common that some of your Workloads connect to external services such as databases that run outside your Kubernetes Cluster. These external services are usually secured and deployed in a private subnet.
My team currently uses Google Kubernetes Engine and we use GCP Memorystore (Redis as a Service) for caching. For us to access Memorystore securely, we will have to provision a VM that will act as a bastion host but we found a better approach to deal with this.
Port-forwarding with TCP Proxy
All our services run in Kubernetes, and as much as possible we want to stick with the kubectl everything workflow when dealing with our services. All thanks to tecnativa/tcp-proxy, it makes TCP proxying really easy with Docker.
So basically, any external services that our Kubernetes Cluster can access can also be accessed locally by deploying this sucker.
WARNING: This can be a security flaw in your case, but not for us.
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: redis-proxy
name: redis-proxy
namespace: default
spec:
selector:
matchLabels:
app: redis-proxy
template:
metadata:
labels:
app: redis-proxy
spec:
containers:
- image: tecnativa/tcp-proxy:latest
imagePullPolicy: Always
env:
- name: LISTEN
value: ":6379" # The listen address that it will be exposed to.
- name: TALK
value: "10.1.1.5:6379" # Private address of Memorystore.
name: redis-proxy
resources:
requests:
cpu: 10m
memory: 10m
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
With the tcp-proxy deployed, we can now just port-forward the tcp-proxy Pod.
kubectl port-forward redis-proxy 6379:6379
And access Memorystore locally using redis-cli.
redis-cli -p 6379
Top comments (0)