KONG ingress in GKE with private IP

When I try to create kong ingress controller in GKE its actually creating public-facing layer 4 tcp load balancer, is there any way we can block the external IP and use private IP

Answering the question:

How can I create an Ingress resource used by Kong Ingress Controller that is available only through the private/internal IP with GKE cluster?

You can do it by following below steps:

• Modify and apply the Kong Ingress controller manifest.
• Create and apply Ingress resource that will be used by Kong.

A side note!

Ingress controllers like nginx-ingress, kong, etc. are using the Service of type Loadbalancer (Layer 4) for incoming traffic.

---

Modify and apply the Kong Ingress controller manifest

Kong github page:

• Github.com: Kong: Kubernetes Ingress controller: Get started

As stated previously, you will need to download, modify and apply the Kong Ingress controller manifest. By default your controller will be exposed to the external sources but you can change this behavior by specifying following annotation (in your Service of type LoadBalancer of your downloaded manifest):

• networking.gke.io/load-balancer-type: "Internal"

You will need to edit the Service like below:

apiVersion: v1
kind: Service
metadata:
  annotations:
    networking.gke.io/load-balancer-type: "Internal" # <-- IMPORTANT, ADD THIS
  name: kong-proxy
  namespace: kong
spec:
  ports:
  - name: proxy
    port: 80
    protocol: TCP
    targetPort: 8000
  - name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    app: ingress-kong
  type: LoadBalancer

After spawning modified YAML manifest your Service responsible for incoming traffic should look like below:

• $ kubectl get service -n kong

NAME                      TYPE           CLUSTER-IP   EXTERNAL-IP   PORT(S)                      AGE
kong-proxy                LoadBalancer   10.8.5.66    10.156.0.92   80:32764/TCP,443:32002/TCP   14m
kong-validation-webhook   ClusterIP      10.8.6.32    <none>        443/TCP                      14m

As you can see the External IP of your kong-proxy is within the CIDR of your GKE nodes. You will need to send the request to this particular address within the subnet.

---

Create and apply Ingress resource that will be used by Kong

To check if your newly created Ingress controller is behaving correctly you can check with below example:

• $ kubectl create deployment nginx --image=nginx
• $ kubectl expose deployment nginx --port=80 --type=ClusterIP

Ingress resource YAML manifest will be following for this example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kong-ingress
  annotations:
    kubernetes.io/ingress.class: "kong" # <-- IMPORTANT, ADD THIS
spec:
  rules:
  - host:
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx
          servicePort: 80

ingress.class is used to tell your Kubernetes cluster which Ingress controller should handle this resource.

After applying above resource you should be able to see it by invoking:

• $ kubectl get ingress kong-ingress

NAME           CLASS    HOSTS   ADDRESS       PORTS   AGE
kong-ingress   <none>   *       10.156.0.92   80      16m

As you can see your kong-ingress is available on the internal IP the same as the Service of type LoadBalancer.

You can use other VM within the subnet to check if it's working by running:

• curl 10.156.0.92

The NGINX welcome page should be seen.

---

Additional resources:

• Kubernetes.io: Docs: Concepts: Services networking: Ingress
• Cloud.google/com: Kubernetes Engine: Docs: How to: Internal Load Balancing