saravanan.chinnachamy_185977 avatar image
saravanan.chinnachamy_185977 asked Erick Ramirez edited

How do I access the management API service from outside the Kubernetes cluster?

I see that installing cass-operator and CassandraDatacenter also installs “datastax/management-api-for-apache-cassandra” container Sidecar by default. Followed the 2 links below.

I can access the pod (Cassandra cluster) and use the api.

But can not seem to use the api from outside the cluster. Also I can not list the api service “kubectl get svc -n cass-operator” to forward it outside. Is there some steps to call the api from outside the cluster?

10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

bradfordcp avatar image bradfordcp commented ·

The Management API for Apache Cassandra runs in the same container as C*. If you run a `busybox` container in your k8s cluster can you access the management API via cURL calls? If mutual TLS is not enabled you should be able to communicate with the API fairly easily (again from inside the k8s cluster). External access to the management API is possible with something like an ingress, but we don't automate the creation of associated services or ingress routes at this time.

Could you describe what you are trying to do with the management API external to the k8s cluster? I'd like to provide guidance that is better tailored to what you're trying to accomplish.

0 Likes 0 ·
saravanan.chinnachamy_185977 avatar image saravanan.chinnachamy_185977 bradfordcp commented ·

Thanks Brad for the details. I was able to access API via curl calls like

root@cluster1-dc1-default-sts-0:/# curl http://localhost:8080/api/v0/metadata/versions/release
root@cluster1-dc1-default-sts-0:/# curl http://localhost:8080/api/v0/probes/cluster?consistency_level='ONE'

I am trying to see if we can manage some cluster operations like Compaction, Flush, etc (all operations exposed by restapi) from outside.

0 Likes 0 ·

1 Answer

bradfordcp avatar image
bradfordcp answered

Warning: Exposing the management API outside of the cluster without some sort of authentication (like mTLS) is dangerous. A bad actor could potentially Denial of Service nodes with a very simple HTTP script.

This is a tricky question as Kubernetes prefers to expose resources in the form of services backed by multiple pods. If a pod goes down it is taken out of rotation and users are none the wiser. Unfortunately, we are trying to route to a specific pod within the cluster as sending management API requests to a random load balancer tends to defeat the purpose.

You have two main options here. With the first, a service must be created per pod where traffic is accessible externally (either via a service type of node port or load balancer. The second involves an ingress which routes to the appropriate pod based on the request's hostname. This is a little more nuanced though as you will most likely have to still create a service per pod, unless your ingress supports host selection (see the Voyager docs).

My preference would be to leverage an ingress that allows for routing to specific pods to keep from having to manage so many services. Again it is worth calling out the warning at the top of this answer as care must be taken when exposing the management API externally. It's just like exposing nodetool / JMX access externally without precautions in place.

10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.