PLANNED MAINTENANCE

Hello, DataStax Community!

We want to make you aware of a few operational updates which will be carried out on the site. We are working hard to streamline the login process to integrate with other DataStax resources. As such, you will soon be prompted to update your password. Please note that your username will remain the same.

As we work to improve your user experience, please be aware that login to the DataStax Community will be unavailable for a few hours on:

  • Wednesday, July 15 16:00 PDT | 19:00 EDT | 20:00 BRT
  • Thursday, July 16 00:00 BST | 01:00 CEST | 04:30 IST | 07:00 CST | 09:00 AEST

For more info, check out the FAQ page. Thank you for being a valued member of our community.


question

saravanan.chinnachamy_185977 avatar image
saravanan.chinnachamy_185977 asked ·

How do I access the management API service from outside the Kubernetes cluster?

I see that installing cass-operator and CassandraDatacenter also installs “datastax/management-api-for-apache-cassandra” container Sidecar by default. Followed the 2 links below.

https://github.com/datastax/cass-operator
https://github.com/datastax/management-api-for-apache-cassandra

I can access the pod (Cassandra cluster) and use the api.

But can not seem to use the api from outside the cluster. Also I can not list the api service “kubectl get svc -n cass-operator” to forward it outside. Is there some steps to call the api from outside the cluster?

kubernetescass-operator
2 comments
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

The Management API for Apache Cassandra runs in the same container as C*. If you run a `busybox` container in your k8s cluster can you access the management API via cURL calls? If mutual TLS is not enabled you should be able to communicate with the API fairly easily (again from inside the k8s cluster). External access to the management API is possible with something like an ingress, but we don't automate the creation of associated services or ingress routes at this time.


Could you describe what you are trying to do with the management API external to the k8s cluster? I'd like to provide guidance that is better tailored to what you're trying to accomplish.

0 Likes 0 · ·

Thanks Brad for the details. I was able to access API via curl calls like

root@cluster1-dc1-default-sts-0:/# curl http://localhost:8080/api/v0/metadata/versions/release
3.11.6
root@cluster1-dc1-default-sts-0:/# curl http://localhost:8080/api/v0/probes/cluster?consistency_level='ONE'

I am trying to see if we can manage some cluster operations like Compaction, Flush, etc (all operations exposed by restapi) from outside.

0 Likes 0 · ·

1 Answer

bradfordcp avatar image
bradfordcp answered ·

Warning: Exposing the management API outside of the cluster without some sort of authentication (like mTLS) is dangerous. A bad actor could potentially Denial of Service nodes with a very simple HTTP script.


This is a tricky question as Kubernetes prefers to expose resources in the form of services backed by multiple pods. If a pod goes down it is taken out of rotation and users are none the wiser. Unfortunately, we are trying to route to a specific pod within the cluster as sending management API requests to a random load balancer tends to defeat the purpose.


You have two main options here. With the first, a service must be created per pod where traffic is accessible externally (either via a service type of node port or load balancer. The second involves an ingress which routes to the appropriate pod based on the request's hostname. This is a little more nuanced though as you will most likely have to still create a service per pod, unless your ingress supports host selection (see the Voyager docs).


My preference would be to leverage an ingress that allows for routing to specific pods to keep from having to manage so many services. Again it is worth calling out the warning at the top of this answer as care must be taken when exposing the management API externally. It's just like exposing nodetool / JMX access externally without precautions in place.

Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.