Is possible to connect a DO K8s cluster with a DO Droplet private network?

January 27, 2019 2.3k views
DigitalOcean Networking PostgreSQL Kubernetes

Hi there, folks.

I do have a 3-node-sized DO K8s cluster (for my apps and services), and a DO Droplet that runs my PostgreSQL. I’m planning on connecting them together using a K8s external service pretty much like this article here.

But I don’t want to use a external IP connection to do so, I want to block external IPs from accessing my Postgres, and then connect my K8s cluster and my Postgres using a DO private network.

I know how to setup this network for my Postgres Droplet, but I don’t see such option for my K8s cluster. Is there a way to join my cluster into this network? Any documentation on this subject?

Any help?
Thanks!

2 Answers

Works for me!

Your database server must be in same region (eg. NYC1) as your kubernetes cluster.

Make sure your database server only listening to the private IP address of your droplet (not public IP).

---
kind: Service
apiVersion: v1
metadata:
  name: mysql
spec:
  ports:
    - name: mysql
      port: 3306
      targetPort: 3306

---
kind: Endpoints
apiVersion: v1
metadata:
  name: mysql
subsets:
  - addresses:
      - ip: PRIVATE.IP.OF.DATABASE.DROPLET
    ports:
      - name: mysql
        port: 3306
  • Hey @alton,

    can you give us some more information about how you got this to work?

    What exactly do you mean by “Make sure your database server only listening to the private IP address of your droplet”? Do you mean the droplet that runs the database?

    Which IP do you use for the mysql database user ‘db-user’@’<IP>’?

    Thank you in advance!

    • yes. i’m talking about the public IP and private IP of the droplet where your database server resides.

      please check the following …

      1. is your database accessible remotely using bind-address=0.0.0.0 in your mysql configuration?

      2. does your firewall block traffic from entering port 3306 through your public IP address?

      3. does your firewall allow traffic from entering port 3306 through your private IP address?

      4. which region is your database server in? your kubernetes cluster must be in the same region as your database server in order to access port 3306 at your private IP address

      • I forgot to open the firewall for traffic through the private IP of the worker node(s).

        Thank you so much! Saved me hours!

  • Hello @alton,

    Might be completely wrong here - didn’t the question say the database server(PostgreSQL) is outside the k8 cluster and is hosted on a DO droplet?

    If it’s outside k8 cluster, how can one create a service said above?

    Thanks!
    Pavan

DO support replied me:

Kubernetes clusters use their own overlay network so it wouldn’t be possible to connect other Droplets to the cluster; you would have to expose a service on the cluster, through a Load Balancer typically, to be able to access the service from outside the cluster.

So I think that answers the question.

  • Did you manage to resolve this after that ticket?
    I’m looking to do the same (connect a small scaled cluster to a seperate droplet hosting db) and running into seemingly the same issues.

    • For what it’s worth, here’s a solution to making your stuff connect through the internal network.

      Create a service of type NodePort that exposes what you’d like to expose – Note that this will expose the port on every IP address of the node itself (including public traffic), so you’ll have to update the firewall rules to block traffic that’s not coming from the internal network (10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16).

      Remember that NodePorts have to be above 30000.

      If you log on to one of your droplets, you should be able to access the exposed service on the port. If you’re running a single instance, then you may have to figure out which node it’s running on (use kubectl describe <podname> to get the node’s internal IP). At this point, depending on what the service is, you can choose to set it up as a daemon set, or some of the sort, if it’s appropriate.

      In theory, you could setup a box within the cluster to act as an SSH proxy, and port forward accordingly, as if you were in the network, all the time. This approach for exposing microservices or APIs within the cluster, to the rest of your private network.

      Hope that helps.

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!