DEV Community 👩‍💻👨‍💻

Cover image for K8s / Nginx simple trick
Richard Devers
Richard Devers

Posted on • Updated on

K8s / Nginx simple trick

The issue

I recently have been through a simple yet interesting use case in my job.

For some reasons, network teams forbid developers computers to access mongoDb database directly.

Only the kubernetes platform have network access to the managed database service.

Basically:
Image description

The solution

Looking a the previous drawing, you may see where this is going, developers can access the k8s cluster and the k8s cluster can access to the managed db service ^^...

So... here is the plan:

Image description

So, let's deploy a simple nginx k8s service, configured to stream tcp connection from the port 8080 to the desired ip:port. Then use a port forward to redirect connection

Assuming your mondoDb listen on 100.101.102.103:27017

---

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: mongodb-proxy
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: mongodb-proxy
  ingress:
    - {}
  egress:
    - {}
  policyTypes:
    - Ingress
    - Egress

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: mongodb-proxy
data:
  nginx.conf: |
    worker_processes  auto;
    error_log  /var/log/nginx/error.log notice;
    pid        /tmp/nginx.pid;


    stream {
        server {
            listen  8080 so_keepalive=on;
            proxy_connect_timeout 2s;
            proxy_pass    stream_backend;
            proxy_timeout 10m;
        }
        upstream stream_backend {
          server 100.101.102.103:27017;
        }

    }

    events {
        worker_connections  1024;
    }

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mongodb-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/component: "mongodb-proxy"
  template:
    metadata:
      labels:
        app.kubernetes.io/component: "mongodb-proxy"
    spec:
      serviceAccountName: default
      securityContext: {}
      containers:
        - name: mongodb-proxy
          volumeMounts:
            - name: mongodb-proxy
              mountPath: /etc/nginx
          securityContext:
            readOnlyRootFilesystem: false
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          image: "nginx/nginx-unprivileged"
          imagePullPolicy: Always
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
            # - name: https
            #   containerPort: 443
            #   protocol: TCP
          resources:
            limits:
              cpu: 500m
              memory: 512Mi
            requests:
              cpu: 250m
              memory: 256Mi
      volumes:
        - name: mongodb-proxy
          configMap:
            name: mongodb-proxy

Enter fullscreen mode Exit fullscreen mode

First, deploy this k8s template.

Note that:

  • the nginx config file is directly set within the template and put into the container using a configMap, thanks k8s.
  • the network policy is way too large (too lazy to write it , sorry)
  • the ngninx-unpriviled image have been used because of some security restrictions on our k8s cluster.

Now i just have to create a port-forward between my computer to the mongodb-proxy.

It should be something like:

kubectl port-forward mongodb-proxy 8080:8080
Enter fullscreen mode Exit fullscreen mode

(i didn't test it, i use k9s to do that for me).

Now i can access my db directly from my computer using localhost:8080

using Firefox i got:
Image description

This solution is very easy to perform, can be adapt to lots of other backend and hold in a single small helm file.

Top comments (0)

Timeless DEV post...

How to write a kickass README

Arguably the single most important piece of documentation for any open source project is the README. A good README not only informs people what the project does and who it is for but also how they use and contribute to it.

If you write a README without sufficient explanation of what your project does or how people can use it then it pretty much defeats the purpose of being open source as other developers are less likely to engage with or contribute towards it.