Menu
I've got my own microservice and till now I've been exposing the service with type: NodePort along with nginx-ingress helm chart to my own Public IP with https; I've noticed when running linter on my microservice helm chart that it's not safe (to use NodePort) and I should be using ClusterIP - could someone explain why?
201
If your cluster is set up so that the worker nodes are directly accessible from outside the cluster, then anything you have set as a NodePort-type service will be accessible too. In particular, this means that http://any-node.k8s.example.com:32345/ could reach your back-end service, bypassing any controls that you've set up in the ingress layer. You generally don't want that.
A reasonable approach here (and probably what your linter is encouraging) is to use NodePort or LoadBalancer-type services only for your ingress service. Anything else should register itself with that ingress service (using a native Kubernetes Ingress object, or an Istio VirtualService, or ...) but have ClusterIP-type services for intra-cluster access.
+------------+ NP +---------+ CIP +-------------+
---> | (any node) | ---> | ingress | ---> | application |
+------------+ +---------+ +-------------+
|__________________________^
a NodePort application service would allow this path
(bypassing the ingress)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
