Why can't other pods connect to Cloud SQL through Kubernetes proxy and service when portforward-CodePudding

I have deployed a Cloud SQL proxy and a service attached to it in Kubernetes. Both the proxy and the service are listening on port 5432. Other pods are not able to establish a connection to the Cloud SQL database through the proxy, but when I port forward to the pod of the proxy or to the service, I am able to connect to the database without any issue from my localhost.

The Kubernetes cluster and the Cloud SQL instance are both private. I have checked the service and deployment labels, the service and pod network configuration, the firewall rules, and the network configuration, but I am still unable to resolve the issue.

All pods are in the same namespace, logs of the proxy show no error, when I run nc -v $service_name $port in other pods, it yields no error and it doesn't show any sign of malfunctioning, it doesn't even print that the connection was successful. The problem is that these pods are not being able to establish a TCP connection to the service,

Here is an example of an error message:

Caused by: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Connection to airbyte-db-svc:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.

If needed here is the manifest that deploys the service and the proxy:

apiVersion: v1
kind: Service
metadata:
  name: airbyte-db-svc
spec:
  type: ClusterIP
  ports:
    - port: 5432
      targetPort: 5432
      protocol: TCP
  selector:
    airbyte: db
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: airbyte-db-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      airbyte: db
  template:
    metadata:
      labels:
        airbyte: db
    spec:
      serviceAccountName: airbyte-admin
      containers:
      - name: cloud-sql-proxy
        image: gcr.io/cloudsql-docker/gce-proxy:latest
        command:
          - "/cloud_sql_proxy"
          - "-enable_iam_login"
          - "-ip_address_types=PRIVATE"
          - "-instances=PROJECT_ID_HERE:REGION_HERE:INSTANCE_CONNECTION_HERE=tcp:5432"
        ports:
          - containerPort: 5432
        securityContext:
          runAsNonRoot: true

The serviceAccount airbyte-admin has the good 'Cloud SQL Client' and the workloadIdentity configured in the GCP Project.

What could be the problem and how can I fix it?

CodePudding user response：

CloudSQL Proxy listens on localhost by default. If you want to expose it via a service, you'll want to add --address 0.0.0.0 to your cloud_sql_proxy command options.