3

I want to set up connections from a kubernetes cluster (created via az acs create with mostly default settings) to an Azure Postgresql instance, and I'd like to know what source-IP range to enter in postgres HBA (this is the thing Azure calls a firewall-rule under az postgres server).

The thing is, although I can see from the console errors (when using psql to test) what the current IP is that the cluster requests come from

FATAL:  no pg_hba.conf entry for host "x.x.x.x" [...]

... I just don't see this IP address anywhere in the cluster properties - and anyway, it would seem a very fragile configuration to just whitelist this one IP address without knowing how it's assigned.

(In the Azure Portal, I do see one "Public IP" associated with the cluster master, but that's not the same as the IP seen by postgres, and, I assume, mainly for ingress.)

So ideally, does ACS let me control the outbound IP addresses for the cluster? And if not, can I figure out programmatically what IP or range of IPs to allow?

yungchin
  • 1,519
  • 2
  • 15
  • 17
  • Do you mean you want connect postgresql and ACS K8S pod? via the internat? – Jason Ye May 29 '17 at 08:16
  • Yes, well, more or less: the Azure Postgresql instance lives in the same region, so I suppose there's maybe a way to make them share a vnet? – yungchin May 29 '17 at 08:21
  • Does them in the same Vnet? – Jason Ye May 29 '17 at 08:25
  • If that's possible that would be the perfect solution for us. I can't find any documentation on this though - would it have to be a feature request? (Edit: sorry keep hitting enter expecting a line break :) wanted to add, just to be clear, I'm talking about Azure Database for Postgresql https://learn.microsoft.com/en-us/cli/azure/postgres , so not a self-configured postgres on an Azure VM. ) – yungchin May 29 '17 at 08:59
  • I see, this is a service, work on the internet. you want to add IP ranges for ACS k8s? but you does't know the IP addresses of azure k8s, right? – Jason Ye May 29 '17 at 09:14
  • Yep, that's exactly the problem. – yungchin May 29 '17 at 11:05

2 Answers2

1

It should be the external IP for the node that the pod is scheduled on, e.g. on container engine:

$ kubectl get no -o wide
NAME                              STATUS    AGE       VERSION   EXTERNAL-IP       OS-IMAGE                             KERNEL-VERSION
gke-cluster-1-node-1              Ready     58d       v1.5.4    <example node IP> Container-Optimized OS from Google   4.4.21+

$ ssh gke-cluster-1-node-1
$ curl icanhazip.com
<example node IP>

$ kubectl get po -o wide | grep node-1
example-pod-1                                     1/1       Running   0          11d       <pod IP>      gke-cluster-1-node-1
$ kubectl exec -it example-pod-1 curl icanhazip.com
<example node IP>
ZoidbergWill
  • 317
  • 3
  • 5
  • 2
    Thanks. It seems this info is missing on Azure ACS - it isn't in `kubectl describe node` output either, there's only a private address. But apart from that, it is also unclear to me what the guarantees are that the public IP is stable (stable in the sense "if I grab the IP this way, and write it to pg_hba.conf, does my connection still work tomorrow?") – yungchin May 29 '17 at 07:54
  • (Also, I should have clarified that this is maybe a question that's more about Azure Container Service specifics than it is about Kubernetes.) – yungchin May 29 '17 at 08:00
0

does ACS let me control the outbound IP addresses for the cluster? And if not, can I figure out programmatically what IP or range of IPs to allow?

Based on my knowledge, Azure container service expose docker application to public via Azure load balancer, load balancer will get a public IP address.
By the way, we can't specify which public IP address will associate to Azure load balancer.

After we can expose the application to the internet, we can add the public IP address to your Postgresql's postgres HBA.

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • Please let me know if you would like further assistance. – Jason Ye May 29 '17 at 08:48
  • Thanks - does this also apply to outbound connections though? What I did to test above was connecting to a pod using `kubectl exec`, then running `psql` from the pod, and I think the IP this connection appears as to the postgres server is separate from any load balancer IPs? – yungchin May 29 '17 at 08:53
  • which IP address you can't find in the cluster properties? is 167.220.255.8? – Jason Ye May 29 '17 at 09:54
  • Thanks, no it's this one: `no pg_hba.conf entry for host "23.97.169.xxx"` (the log masks the last digits unfortunately). – yungchin May 29 '17 at 11:07
  • 1
    You could try enabling all the IP ranges from Azure data centres though that's a bit of a hacky solution, and difficult if pg_hba.conf doesn't support IP ranges. https://www.microsoft.com/en-za/download/details.aspx?id=41653 – ZoidbergWill May 30 '17 at 08:26