Share

Question

Hi there, folks.

I do have a 3-node-sized DO K8s cluster (for my apps and services), and a DO Droplet that runs my PostgreSQL. I’m planning on connecting them together using a K8s external service pretty much like this article here.

But I don’t want to use a external IP connection to do so, I want to block external IPs from accessing my Postgres, and then connect my K8s cluster and my Postgres using a DO private network.

I know how to setup this network for my Postgres Droplet, but I don’t see such option for my K8s cluster. Is there a way to join my cluster into this network? Any documentation on this subject?

Any help?
Thanks!

Answer 1

alton February 15, 2019

Works for me!

Your database server must be in same region (eg. NYC1) as your kubernetes cluster.

Make sure your database server only listening to the private IP address of your droplet (not public IP).

---
kind: Service
apiVersion: v1
metadata:
  name: mysql
spec:
  ports:
    - name: mysql
      port: 3306
      targetPort: 3306

---
kind: Endpoints
apiVersion: v1
metadata:
  name: mysql
subsets:
  - addresses:
      - ip: PRIVATE.IP.OF.DATABASE.DROPLET
    ports:
      - name: mysql
        port: 3306

Reply Report

sbe February 19, 2019

Hey @alton,

can you give us some more information about how you got this to work?

What exactly do you mean by “Make sure your database server only listening to the private IP address of your droplet”? Do you mean the droplet that runs the database?

Which IP do you use for the mysql database user ‘db-user’@’<IP>’?

Thank you in advance!
Reply Report
- alton February 19, 2019
  
  yes. i’m talking about the public IP and private IP of the droplet where your database server resides.
  
  please check the following …
  
  is your database accessible remotely using bind-address=0.0.0.0 in your mysql configuration?
  
  does your firewall block traffic from entering port 3306 through your public IP address?
  
  does your firewall allow traffic from entering port 3306 through your private IP address?
  
  which region is your database server in? your kubernetes cluster must be in the same region as your database server in order to access port 3306 at your private IP address
  
  Reply Report
  
  sbe February 19, 2019
  
  I forgot to open the firewall for traffic through the private IP of the worker node(s).
  
  Thank you so much! Saved me hours!
  
  Reply Report
pavanraga August 24, 2019

Hello @alton,

Might be completely wrong here - didn’t the question say the database server(PostgreSQL) is outside the k8 cluster and is hosted on a DO droplet?

If it’s outside k8 cluster, how can one create a service said above?

Thanks!
Pavan
Reply Report

Answer 2

sbe February 19, 2019

Hey @alton,

can you give us some more information about how you got this to work?

What exactly do you mean by “Make sure your database server only listening to the private IP address of your droplet”? Do you mean the droplet that runs the database?

Which IP do you use for the mysql database user ‘db-user’@’<IP>’?

Thank you in advance!
Reply Report
- alton February 19, 2019
  
  yes. i’m talking about the public IP and private IP of the droplet where your database server resides.
  
  please check the following …
  
  is your database accessible remotely using bind-address=0.0.0.0 in your mysql configuration?
  
  does your firewall block traffic from entering port 3306 through your public IP address?
  
  does your firewall allow traffic from entering port 3306 through your private IP address?
  
  which region is your database server in? your kubernetes cluster must be in the same region as your database server in order to access port 3306 at your private IP address
  
  Reply Report
  
  sbe February 19, 2019
  
  I forgot to open the firewall for traffic through the private IP of the worker node(s).
  
  Thank you so much! Saved me hours!
  
  Reply Report
pavanraga August 24, 2019

Hello @alton,

Might be completely wrong here - didn’t the question say the database server(PostgreSQL) is outside the k8 cluster and is hosted on a DO droplet?

If it’s outside k8 cluster, how can one create a service said above?

Thanks!
Pavan
Reply Report

Answer 3

fschuindtAtFoxBox January 27, 2019

DO support replied me:

Kubernetes clusters use their own overlay network so it wouldn’t be possible to connect other Droplets to the cluster; you would have to expose a service on the cluster, through a Load Balancer typically, to be able to access the service from outside the cluster.

So I think that answers the question.

Reply Report

jeddevs January 31, 2019

Did you manage to resolve this after that ticket?
I’m looking to do the same (connect a small scaled cluster to a seperate droplet hosting db) and running into seemingly the same issues.
Reply Report
- christopher62c9ede67339760 August 27, 2019
  
  For what it’s worth, here’s a solution to making your stuff connect through the internal network.
  
  Create a service of type NodePort that exposes what you’d like to expose – Note that this will expose the port on every IP address of the node itself (including public traffic), so you’ll have to update the firewall rules to block traffic that’s not coming from the internal network (10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16).
  
  Remember that NodePorts have to be above 30000.
  
  If you log on to one of your droplets, you should be able to access the exposed service on the port. If you’re running a single instance, then you may have to figure out which node it’s running on (use kubectl describe <podname> to get the node’s internal IP). At this point, depending on what the service is, you can choose to set it up as a daemon set, or some of the sort, if it’s appropriate.
  
  In theory, you could setup a box within the cluster to act as an SSH proxy, and port forward accordingly, as if you were in the network, all the time. This approach for exposing microservices or APIs within the cluster, to the rest of your private network.
  
  Hope that helps.
  
  Reply Report

Answer 4

jeddevs January 31, 2019

Did you manage to resolve this after that ticket?
I’m looking to do the same (connect a small scaled cluster to a seperate droplet hosting db) and running into seemingly the same issues.
Reply Report
- christopher62c9ede67339760 August 27, 2019
  
  For what it’s worth, here’s a solution to making your stuff connect through the internal network.
  
  Create a service of type NodePort that exposes what you’d like to expose – Note that this will expose the port on every IP address of the node itself (including public traffic), so you’ll have to update the firewall rules to block traffic that’s not coming from the internal network (10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16).
  
  Remember that NodePorts have to be above 30000.
  
  If you log on to one of your droplets, you should be able to access the exposed service on the port. If you’re running a single instance, then you may have to figure out which node it’s running on (use kubectl describe <podname> to get the node’s internal IP). At this point, depending on what the service is, you can choose to set it up as a daemon set, or some of the sort, if it’s appropriate.
  
  In theory, you could setup a box within the cluster to act as an SSH proxy, and port forward accordingly, as if you were in the network, all the time. This approach for exposing microservices or APIs within the cluster, to the rest of your private network.
  
  Hope that helps.
  
  Reply Report

Related

Question

Is possible to connect a DO K8s cluster with a DO Droplet private network?

Leave a comment

Looking for something else?

Share

Share your Question

Related

Question

Is possible to connect a DO K8s cluster with a DO Droplet private network?

Leave a comment

Related

question

Why are snapshots so slow

question

What locations are available for working at DigitalOcean

question

Why is my droplet stuck at "creating"? it has been hours now :(

question

Why the vast differences in upload and download speeds?

Looking for something else?

Almost there!