GCE + K8S - Accessing referral IP address - kubernetes

With a standard Kubernetes deployment on Google Container Engine, to include services configured with the Kubernetes load balancer settings which creates network load balancers, is it possible to access the user's (or referring) IP address in an application? In the case of PHP, checking common headers in the $_SERVER superglobal only results in the server and internal network addresses being available.

Not yet. Services go through kube_proxy, which answers the client connection and proxies through to the backend (your PHP server). The address that you'd see would be the IP of whichever kube-proxy the connection went through.
Work has been done, and a tracking issue is still open to switch over to an iptables-only proxy. That would allow your PHP server to get the actual client IP.

Related

Is possible to secure communication between Google App Engine and Google Compute Engine?

I deployed an app with nodejs on Google App Engine and mongodb on Compute Engine.
Without security rules, GAE can successfully connect to mongodb, but when I set a security rule which allow to access port 27017 of the VM from the App Engine service account I get timeout request so mongodb is not reachable.
As is not possible to set a static ip to GAE, is there another solution to securing mongodb on Compute Engine?
Check the priority of firewall allow rule and deny rule. Lower numbers have higher priorities. Be sure that the allow firewall rule has a higher priority than other rules that might deny traffic.
Yes, at the moment you're not able to set a static external IP on your GAE application.
There's a possible workaround for GAE Flex to solve your issue:
reserve an external static IP
create f1-micro VM instance with reserved external IP address (this likely fits in the Compute Engine free tier)
create a firewall rule to allow connection to MongoDB server from reserved external IP
create a SOCKS proxy by running a ssh client that routes the traffic through created VM similar to this example
configure nodejs application to use SOCKS Proxy
connect to MongoDB server
UPDATE
Also, if you application can run over HTTP proxy you can Squid proxy installed on this VM instead of SOCKS Proxy.

Allow load balanced instances to connect single compute instance postgresql server

I am looking for GCP networking best practice, where I can allow connection of auto-scaled instances to Postgresql server installed on separate instance.
So far I tried whitelisting load-balancer IP within firewall and postgresql config file, but failed.
Any help or pointer is highly appreciated.
The load-balancer doesn't process information by itself, it just redirects Frontend addresse(s) and manage the requests with Instance Groups.
That instance group should manage the HTTP requests and connect with the database instance.
The load-balancer is used to dynamically distribute (or even create additional instances) to handle the requests over the same Frontend address.
--
So first you should make it work with a regular instance, configure it and save the instance template. Then you can proceed with creating an instance group that can be managed by a load-balancer.
EDIT - Extended the answer from my comment
"I don't think your problem is related to Google cloud platform now. If you have a known IP address for the PostgreSQL server (connect using an internal network IP address so it doesn't change), then make sure your auto-balanced instances are in the same internal network, use db's internal IP and connect to it."

Access external IP address from service

Is it possible to get the external IP address for a POD? It doesn't appear to be populating in the environmental variables for a service, so I was wondering if there was another way to get that information.
Basically: I'm setting up a proftpd service, and it needs to send out its external ip as well as a port for passive communication. Right now, it's sending the local IP address which is causing FTP clients to fail.
The kubernetes service discovery mechanism (DNS or environment variable) doesn't populate the external IP.
One way to work around is to create a static IP first, then assign it to your service.
Or you can exec kubectl inside your cluster to get the external IP but that's nasty.

Outbound HTTP request from bluemix runtime

can a NodeJS application running on Bluemix make outside HTTP requests ? What address does the receiving end see ? There is a proxy that stops traffic from unknown servers on the other end, so we need to declare the origin IP. What is it for Bluemix ?
Any application running on IBM Bluemix can make outgoing HTTP requests (or any other outgoing TCP/UDP request).
Outgoing requests will come from the IP address of the DEA running the container with this application instance. If you have multiple instances, requests can come from any of these instances.
For details on the environment variables exposing these parameters, see this page:
http://docs.run.pivotal.io/devguide/deploy-apps/environment-variable.html
Yes a NodeJs application running on Bluemix can make outgoing requests.
The receiving end will see the IP address of the Bluemix gateway rather than the IP address of the DEA running the container. You can work out what the IP address is by doing a nslookup of your the app url, but the IP address(es) used is/are not currently documentation so could change.

Can I force Eureka registrations to use an ip address instead of a hostname?

I have a standalone, embedded Eureka server powered by Spring Boot 1.2.0.RELEASE and Spring Cloud 1.0.0.RC1. I see services properly registering themselves in the dashboard, which is great. The status links are using the host name of the box they are running on. Unfortunately, we are using virtual machines and they don't register themselves in DNS, which means that the links are unresolvable. I started looking through the code but was unable to find a way to force the links to use the host's ip address instead. Having a broken dashboard is not the end of the world but I am afraid that once we start using Ribbon or Feign to contact services, those URLs will also use the host name and be unresolvable. Maybe what I am really asking is there a way to force the clients to register with an ip address instead of a host name? Any help is appreciated.
set eureka.instance.preferIpAddress=true as documented here