0

I've got Kubernetes running on Google Cloud, and I have one service connected to a pod with a Nodejs server, and another service connected to a pod with NGINX. In the NGINX pod, I have a location block that I would like to globally deny except if it comes from the Nodejs pod.

What would be the right way to do this in my NGINX conf file ?

What I have at the moment, below, is always being denied by the location block... I'm using the environmental variable for the Nodejs service that is automatically added to the NGINX pod when it is created.

location /target {

  deny all;
  allow 1.2.3.4; #NODEJS_SERVICE_HOST;

  return 200;
}
Petrov
  • 101
  • 2

1 Answers1

0

From Kubernetes perspective it doesn't look as the best approach, restricting access via Pod's IP address does not guarantee the rule persistence, once particular Pod being re-scheduled, its network IP address could be changed according to the Kubernetes networking model concept.

You might consider using DNS discovery mechanism in order to establish name resolving functionality between K8s Pods and their corresponded services. However, I'm not sure whether this would be efficient solution, thus Nginx needs to be supplied with additional modules, performing DNS lookup for A records, that can seriously affect Pods performance.

Basically, Kubernetes brings Network policies, fulfilling such tasks. I would encourage you to review the relevant example for adopting network policy within a label-based restriction in more straight way .

Nick_Kh
  • 568
  • 4
  • 7