I am using Azure AKS and Application Gateway. (And get new to Kubernetes)
Is it possible to have a deployment/service that can only be called from other services within that cluster? But have a single endpoint exposed to the outside world?
E.g. I have api end points to CRUD a record used by other services within the cluster and default namespace. None of these should be accessible from external calls.
BUT. There is a single GET request endpoint which is open to the public.
If this is possible where would the config go? In the Kubernetes yaml or some ingress rule i have to manually manage within Azure?
Is there any documentation? I'm not even sure what to search for
BUT. There is a single GET request endpoint which is open to the public.
you can expose a specific path of the application to the external world using ingress path, for example, the GET path is api/get/user/profiler
you can create an ingress like this
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/server-snippet: |2
location /internal {
deny all;
return 403;
}
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: myapp
namespace: default
spec:
rules:
- host: mydomain.example.com
http:
paths:
- backend:
service:
name: app
port:
number: 80
path: /api/get/user
pathType: Prefix
tls:
- hosts:
- mydomain.example.com
secretName: mydomain.example.tls
The client will be able to reach all path having prefix like /api/get/user/profile/88, but if the path is static you can convert nginx path type to Exact
better-path-matching-with-path-types
within cluster, you can simply use servicename.namespace:service-port/api/getuser/profile and it should work inside the Kubernetes cluster.