1

I have a created an nginx pod and nginx clusterIP service and assign an externalIP to that service like below

NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                            AGE
test-nginx             ClusterIP   10.110.93.251    192.168.0.10        443/TCP,80/TCP,8000/TCP,5443/TCP   79m

In one of my application pod, I am trying to execute below command and get the fqdn of it.

>>> import socket
>>> socket.getfqdn('192.168.0.10')
'test-nginx.test.svc.cluster.local'

It returns me the nginx service fqdn instead of my host machine fqdn. Is there a way to block dns resolution only for external-ip ? or is there any other workaround for this problem?

prasanna kumar
  • 257
  • 3
  • 4
  • 17
  • Why did you assign External-IP to a ClusterIP service? The Servicetype ClusterIP Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. – Ismael Clemente Aguirre May 30 '22 at 22:11
  • @IsmaelClementeAguirre This is because, we want to access the nginx web server from outside the world. If I am using nodePort type of service, it gives me only highports where I can access the nginx (like 30000 etc..) but I want to access the nginx on the same port (i.e 443, 80 ). By assigning an external IP to this clusterIP type service, I am able to access the nginx in the same port using my host machine IP. – prasanna kumar May 31 '22 at 04:50
  • If you run the `socket.getfqdn([name])` command, you will get a fully qualified domain name for `[name]`. And since you're giving the external IP-Address of your service as `[name]`, it will keep giving you the FQDN of your service. In order to obtain the host machine FQDN use the IP Address of your machine. – Ismael Clemente Aguirre May 31 '22 at 22:52

1 Answers1

2

You assigned an external ip to a ClusterIP service in Kubernetes, so you can access your application from outside the Cluster, but you are concerned about the Pods having access to that external ip and want to block the dns resolution.

This is not the best approach to your issue, Kubernetes has several ways to expose the services without compromising the security; for what you want, maybe a better option is to implement an Ingress instead. enter image description here

As you can see in the diagram, the Ingress routes the incoming traffic to the desired service based on configured rules, isolating the outside world from your service and only allowing specific traffic to go in. You can also implement features as TLS termination for your HTTPS traffic, and it performs load balancing by default.

Even further, if your main concern is security within your Cluster, you can take a look at the Istio Service mesh.

Gabriel Robledo Ahumada
  • 1,542
  • 2
  • 14