Synopsis
It is common that some of your Workloads connect to external services such as databases that run outside your Kubernetes Cluster. These external services are usually secured and deployed in a private subnet.
My team currently uses Google Kubernetes Engine and we use GCP Memorystore (Redis as a Service) for caching. For us to access Memorystore securely, we will have to provision a VM that will act as a bastion host but we found a better approach to deal with this.
Port-forwarding with TCP Proxy
All our services run in Kubernetes, and as much as possible we want to stick with the kubectl everything workflow when dealing with our services. All thanks to tecnativa/tcp-proxy, it makes TCP proxying really easy with Docker.
So basically, any external services that our Kubernetes Cluster can access can also be accessed locally by deploying this sucker.
WARNING: This can be a security flaw in your case, but not for us.
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: redis-proxy name: redis-proxy namespace: default spec: selector: matchLabels: app: redis-proxy template: metadata: labels: app: redis-proxy spec: containers: - image: tecnativa/tcp-proxy:latest imagePullPolicy: Always env: - name: LISTEN value: ":6379" # The listen address that it will be exposed to. - name: TALK value: "10.1.1.5:6379" # Private address of Memorystore. name: redis-proxy resources: requests: cpu: 10m memory: 10m dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} With the tcp-proxy deployed, we can now just port-forward the tcp-proxy Pod.
kubectl port-forward redis-proxy 6379:6379 And access Memorystore locally using redis-cli.
redis-cli -p 6379 
Top comments (0)