3

I have multiple services running on port 80.

I am now deploying another service which runs on port 3310 (virus scanner), if I try to use nginx I don't seem to be able to get the ports working correctly. I read somewhere that nginx only works for the standard ports.

So I've gone down the route of using a load balancer service. This works perfectly, but with the added cost of an additional IP address etc.

Is there anyway of continuing to use the nginx ingress for this non standard port? And hence removing the need for the additional external access to the cluster?

Nick
  • 1,882
  • 11
  • 16
Kevin
  • 383
  • 5
  • 16
  • Shall that virus scanner be accessible from Internet or just locally? Do you have a control on your Domain Names? The very first idea is to expose that scanner via Service and create a rewrite rule in Nginx ingress if scanner supports http:https. – Nick May 20 '20 at 14:22
  • No not necessarily, I want it open to function apps though so its not fully within the cluster. I'm using azure so I can use the nsg if I use the loaf balancer route. And yes I have control over domains and have pointed an a record to the ip address. – Kevin May 20 '20 at 23:04

2 Answers2

4

If the virus scanner on port 3310 accepts HTTP/HTTPS connections, then you can use an ingress controller. Ingress resources will accept incoming traffic on ports 80 and 443 only. You will need expose that service with to either a different hostname or path to identify which requests to send to your antivirus service.

If you require TCP/UDP connections to the service, you can create a ConfigMap which is read by nginx ingress controller. You will need to pass the parameter --tcp-services-configmap to the nginx ingress controller on startup (via container args in the ingress controller Deployment resource).

Given this sample ingress controller Deployment resource, you would add the parameter --tcp-service-configmap=default/tcp-controller-configmap to the end of the file as another element in the args list.

The ConfigMap would look something like this:

apiVersion: v1
kind: ConfigMap
metadata:
    name: tcp-controller-configmap
    namespace: default
data:
    3310: "default/name-of-your-av-service:3310"
bpdohall
  • 1,046
  • 6
  • 9
  • I don't think it does but how would I know for sure? I did originally try inginx ingress and pointed a domain to the k8s ip then tried to use a service to map port 80 to 3310 but it just didn't work, hence going down the load balancer way. Its not a big deal leaving it how it is not but wanting to follow best practice an all makes me question what I've done so far – Kevin May 20 '20 at 23:05
  • @Kevin, I'm assuming that you're running ClamAV, which accepts TCP socket connections. That is not a service you should be exposing to the public internet. Ensure you are able to limit incoming connections on port 3310 to only systems you control. I've updated my answer with more details on the configuration change you need to make to expose the TCP port. – bpdohall May 21 '20 at 10:11
  • You are absolutely spot on. Right now, ive used load balancer method and used the azure nsg to limit connections to the ports from "allowed" ips and services, however if I was to use nginx ingress I would use the nginx annotation whitelist. I'll have a look at that confirmation stuff didnt realise you could do that. Thanks – Kevin May 22 '20 at 17:42
1

You could access your virus scanner via a NodePort Service. Your should already have external IP addresses assigned to your Nodes, so no extra costs.

You are right about Ingress entities only making port 80 and 442 externally available. As per the K8s Documentation they seem to be designed that way.

Fritz Duchardt
  • 11,026
  • 4
  • 41
  • 60
  • I dont want to use nodeport as that'll open the same port on all nodes and the port range is very limited, I can't actually think where I'd use node port. But yes you are right about not needing another ip this way – Kevin May 20 '20 at 23:08