The issue
I recently have been through a simple yet interesting use case in my job.
For some reasons, network teams forbid developers computers to access mongoDb database directly.
Only the kubernetes platform have network access to the managed database service.
The solution
Looking a the previous drawing, you may see where this is going, developers can access the k8s cluster and the k8s cluster can access to the managed db service ^^...
So... here is the plan:
So, let's deploy a simple nginx k8s service, configured to stream tcp connection from the port 8080 to the desired ip:port. Then use a port forward to redirect connection
Assuming your mondoDb listen on 100.101.102.103:27017
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: mongodb-proxy
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: mongodb-proxy
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mongodb-proxy
data:
nginx.conf: |
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /tmp/nginx.pid;
stream {
server {
listen 8080 so_keepalive=on;
proxy_connect_timeout 2s;
proxy_pass stream_backend;
proxy_timeout 10m;
}
upstream stream_backend {
server 100.101.102.103:27017;
}
}
events {
worker_connections 1024;
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongodb-proxy
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: "mongodb-proxy"
template:
metadata:
labels:
app.kubernetes.io/component: "mongodb-proxy"
spec:
serviceAccountName: default
securityContext: {}
containers:
- name: mongodb-proxy
volumeMounts:
- name: mongodb-proxy
mountPath: /etc/nginx
securityContext:
readOnlyRootFilesystem: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
image: "nginx/nginx-unprivileged"
imagePullPolicy: Always
ports:
- name: http
containerPort: 8080
protocol: TCP
# - name: https
# containerPort: 443
# protocol: TCP
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
volumes:
- name: mongodb-proxy
configMap:
name: mongodb-proxy
First, deploy this k8s template.
Note that:
- the nginx config file is directly set within the template and put into the container using a configMap, thanks k8s.
- the network policy is way too large (too lazy to write it , sorry)
- the ngninx-unpriviled image have been used because of some security restrictions on our k8s cluster.
Now i just have to create a port-forward between my computer to the mongodb-proxy.
It should be something like:
kubectl port-forward mongodb-proxy 8080:8080
(i didn't test it, i use k9s to do that for me).
Now i can access my db directly from my computer using localhost:8080
This solution is very easy to perform, can be adapt to lots of other backend and hold in a single small helm file.
Top comments (0)