Reverse proxy for thrift hiveservers running in a kubernetes cluster

0
votes

I have a requirement to run multiple hiveservers as pods on a kubernetes cluster, each serving users belonging to different AD groups. These hiveservers need to be exposed outside of kubernetes cluster, but each hiveserver cannot be exposed as a different service. Ideally I would like to have a reverse proxy implemented using ingress controller with ingress defined for each hiveserver, as the servers could be dynamically created and destroyed.

I see that nginx ingress controller can be used for http, I don't see a way to make this work as a reverse proxy for thrift based hiveservers. I also had a look at knox, but that seems to support http transport only.

Is there a known way to have ingress controller setup as reverse proxy to front end non-http end points like thrift hiveservers?

1
kubernetesreverse-proxythrifthiveserver2
"Is there a known way to have ingress controller setup as reverse proxy to front end non-http end points like thrift hiveservers?" Not really, quote from the Ingress docs: "Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster."BogdanL
You need to provide more details and scenario. It will be on cloud or local env. What K8s version are you using. How you want to secure it. Will you use only Kubernetes, Ingress and other software?PjoterS
@PjoterS It is in a local env, running k8s version 1.17. Authentication will be taken care of at the hiveserver side. The use case doesn't require additional security layers. Hiveservers will be running as pods - exposing each of them as separate end points requires each user to know his specific hiveserver to connect. Instead I'm thinking of having a reverse proxy with some kind of script to query for AD group using username and redirect to the right hiveserver.Girish R
hive.server2.transport.mode in hive-site.xml can be set to http to use the HTTP mode which sends Thrift RPC messages over HTTP transport. Does this not work for your case?glapark

1 Answers

0
votes

You may try to use service mesh, if this is an option for you.

In Istio such a use case (managing TCP traffic) can be achieved with Istio ingress gateway, that will act as entry point for the bunch of services inside your cluster (similar to K8S ingress but not limited to http traffic). There is even a built-in support for custom protocols like Apache Thrift protocol, which allows you to use features like rate limiting.