Hi all
I have newly created K8s cluster , where I want to use to publish micro-services for other droplets in my DO account ,
I want to expose the K8s service using a load-balancer but only privately to my other DO droplets , and disable all public traffic ,

right now I cannot do that , there is no way to assign private IP only to a DO LB ,
and there is noway to apply firewall to the DO LB to restrict public IP traffic.
please advice if its doable and how to do it.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers

I asked DO support but there currently is no safe way of doing this.

However, DO is “… working on doing something like this with Cloud Firewalls.”

Fingers crossed !!!

Greetings!

Thank you for asking this question here. This is not currently possible as our load balancers are always exposed to the internet. Of course, you can create your own load balancers according to your own rules, just the ones that we provide “as a service” do not currently function this way.

Jarland

  • @elmeligy - i have exactly the same question but i don’t find jarland’s answer helpful.

    try current workaround is as follows:

    kubectl apply -f redis.yaml
    kubectl describe nodes | grep ExternalIP

    now the redis service is can be accessed from another droplet (in the same region) using the ExternalIP address (same as private IP of any cluster node) and nodePort (eg. 32000) as follows:

    redis-cli -h ExternalIP -p 32000 ping

    CAUTION: ExternalIP address may change when node pool is resized or nodes are recycled

    # redis.yaml
    ---
    kind: Service
    apiVersion: v1
    metadata:
      name: redis
    spec:
      type: NodePort
      selector:
        app: redis
      ports:
        - name: redis
          port: 6379
          targetPort: 6379
          nodePort: 32000
    ---
    apiVersion: v1
    kind: Pod
    metadata:
      name: redis
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: redis:5-alpine
        ports:
        - containerPort: 6379
    
    • CORRECT … should be InternalIP NOT ExternalIP

      try current workaround is as follows:

      kubectl apply -f redis.yaml
      kubectl describe nodes | grep InternalIP

      now the redis service is can be accessed from another droplet (in the same region) using the InternalIP address (same as private IP of any cluster node) and nodePort (eg. 32000) as follows:

      redis-cli -h InternalIP -p 32000 ping

      CAUTION: InternalIP address may change when node pool is resized or nodes are recycled

      # redis.yaml
      ---
      kind: Service
      apiVersion: v1
      metadata:
        name: redis
      spec:
        type: NodePort
        selector:
          app: redis
        ports:
          - name: redis
            port: 6379
            targetPort: 6379
            nodePort: 32000
      ---
      apiVersion: v1
      kind: Pod
      metadata:
        name: redis
        labels:
          app: redis
      spec:
        containers:
        - name: redis
          image: redis:5-alpine
          ports:
          - containerPort: 6379
      
      
      • I’m using VPC and NodePort services to access K8S cluster applications from my Droplets, but how are we supposed to deal with IPs or ports dynamically changing? It seems that is just tough luck if it does. I find the lack of an internal load balancer solution quite frustrating… some guidance on setting something up would be great! If not, I really think it should be possible to have a manager load balancer service that only gets assigned a VPC IP.

Any updates on this one DO?

Submit an Answer