How do secure traffic between my kubernetes deployment and my postgres cluster?
I want to have a postgres cluster created using the marketplace or terraform(preferably terraform) but i can't see any way to restrict network traffic for all instances in a node pool. I want to use auto scaling, but want all of the nodes for the postgres cluster to only be reachable by the other cluster. I'm fine with both of these deployments being in the same data center.
1 Reply
You have a few points in your question so I'll do my address each one.
"I want to have a postgres cluster created using the marketplace or terraform(preferably terraform)…"
You can use Terraform to create a PostgreSQL cluster from the Marketplace. Here's the config file I used:
terraform {
required_providers {
linode = {
source = "linode/linode"
version = "2.5.2"
}
}
}
provider "linode" {
token = "$api-token"
}
resource "linode_instance" "postgres-test" {
label = "postgres-test"
image = "linode/ubuntu22.04"
region = "us-east"
type = "g6-standard-1"
authorized_keys = ["$your-SSH-key"]
root_pass = "$your-password"
stackscript_id = 1068726
stackscript_data = {
token_password = "$api-token"
cluster_name = "postgres-test"
sudo_username = "tlambert"
add_ssh_keys = "yes"
cluster_size = "3"
}
}
You should be able to pretty much copy/paste this but you'll want to input your parameters.
"i can't see any way to restrict network traffic for all instances in a node pool."
There are a few different ways you can control network traffic for your PostgreSQL cluster. The first one is to manually login to each node to configure a firewall from within the node using a service like UFW.
Alternatively, this guide titled Deploy Secure Linodes using Cloud Firewalls and Terraform offers instructions for deploying secure Linodes using Cloud Firewalls. You will need to understand how Terraform Modules work to complete this setup.
You could even create the PostgreSQL cluster in a VPC and add an additional instance as a nat gateway to control traffic.
"I want to use auto scaling, but want all of the nodes for the postgres cluster to only be reachable by the other cluster."
Correct me if I'm wrong but I believe what you're saying here is that you want your Kubernetes cluster to connect to your PostgreSQL cluster and you want to limit traffic to your database cluster. If that's the case, you can do this using Calico network policies to control you kubernetes cluster's egress and ingress. This tutorial walks you through adding different kinds of NetworkPolicies
to your cluster.
Additionally, you can add a GlobalNetworkPolicy
resource which applies to workload endpoint resources in all namespaces as well as host endpoint resources. This guide has a tutorial that shows how to use the network policy to protect your Kubernetes nodes with the help of automatic host endpoints.