代理 kubernetes 通过代理 (CNTLM) 输出流量
[英]Proxy kubernetes outgoing traffic via Proxy (CNTLM)
问题描述
I am trying to proxy all outgoing kubernetes traffic via a CNTLM which runs on the host.
我正在尝试通过在主机上运行的 CNTLM 代理所有传出的 kubernetes 流量。
A little bit of context: Currently i am trying to setup a kubernetes cluster on VM to use as fast deployment solution for projects.一点上下文:目前我正在尝试在 VM 上设置一个 kubernetes 集群,以用作项目的快速部署解决方案。 Sadly all outbound traffic which is not in the corporate network has to be authenticated via NTLM.遗憾的是,所有不在公司网络中的出站流量都必须通过 NTLM 进行身份验证。 On the host where the kubernetes cluster is running the cntlm server is running on port 3128.在运行 kubernetes 集群的主机上,cntlm 服务器运行在端口 3128 上。
So what i want to achieve is that all traffic from the pods redirected to host:3128.所以我想要实现的是来自 pod 的所有流量都重定向到主机:3128。 What i have thought of are the following ideas:我想到的是以下想法:
Modifying the iptables of the host to reroute traffic.
修改主机的 iptables 以重新路由流量。 This worked quite well for docker based containers without kubernetes.这对于没有 kubernetes 的基于 docker 的容器非常有效。 (See https://hub.docker.com/r/ncarlier/redsocks/ ). (参见https://hub.docker.com/r/ncarlier/redsocks/ )。 With the container you could define your proxy and additionally a whitelist which should not be applied for proxying.使用容器,您可以定义代理以及不应应用于代理的白名单。 Is this also possible for kubernetes? kubernetes 也可以这样吗?The other idea would be to start a pod to which all traffic from the other pods will be routed.
另一个想法是启动一个 Pod,来自其他 Pod 的所有流量都将路由到该 Pod。 And this pod acts as CNTLM proxy.这个 pod 充当 CNTLM 代理。 Not sure if this possible.不确定这是否可能。
Machine setup:机器设置:
- SLE12 SP2 SLE12 SP2
- Kubernetes via kubeadm (Tut: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ ) Kubernetes 通过 kubeadm(图: https ://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/)
- Network addon: canal网络插件:canal
Kubernetes is working as expected in the network without external access. Kubernetes 在网络中按预期工作,无需外部访问。
Thanks for any help :)谢谢你的帮助 :)
UPDATE:更新:
What i already tried like Artem Golenyaev mentioned:我已经尝试过像 Artem Golenyaev 提到的:
- Editing in docker proxy stuff for using the proxy.编辑 docker 代理的东西以使用代理。 (reload + restart done) (重新加载 + 重新启动完成)
- Editing .bashrc + sourcing for applying the proxy-编辑 .bashrc + 采购以应用代理-
Content of .bashrc .bashrc内容
export http_proxy=http://d050alapi138:3128
export HTTP_PROXY=$http_proxy
export https_proxy=$http_proxy
export HTTPS_PROXY=$http_proxy
printf -v lan '%s,' 53.190.251.237
printf -v service '%s,' 10.96.0.{1..253}
printf -v pool '%s,' 192.168.0.{1..253}
export no_proxy="${lan%,},${service%,},${pool%,},127.0.0.1";
export NO_PROXY=$no_proxy
Content of /etc/systemd/system/docker.service.d/http-proxy.conf : /etc/systemd/system/docker.service.d/http-proxy.conf内容:
[Service]
Environment="HTTP_PROXY=http://d050alapi138:3128" "NO_PROXY=localhost,d050alapi138"
Content of /etc/systemd/system/docker.service.d/https-proxy.conf : /etc/systemd/system/docker.service.d/https-proxy.conf内容:
[Service]
Environment="HTTPS_PROXY=http://d050alapi138:3128" "NO_PROXY=localhost,d050alapi138"
Testing proxy is working in bash:测试代理正在 bash 中工作:
d050alapi138:~ # curl google.de
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.de/">here</A>.
</BODY></HTML>
Now script for creating cluster:现在创建集群的脚本:
kubeadm init --apiserver-advertise-address=53.190.251.237 --service-cidr=10.96.0.0/16 --pod-network-cidr=192.168.0.0/24
export KUBECONFIG=/etc/kubernetes/admin.conf
kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml
kubectl taint nodes --all node-role.kubernetes.io/master-
The node starts up and i can deploy ymls and so and when i try to test the internet connection inside a pod:节点启动,我可以部署 ymls 等等,当我尝试测试 pod 内的互联网连接时:
d050alapi138:~ # kubectl run my-shell2 --rm -i --tty --image ubuntu -- bash
If you don't see a command prompt, try pressing enter.
root@my-shell2-66df6fcdf4-4jhc8:/# apt-get update
0% [Connecting to archive.ubuntu.com (2001:67c:1360:8001::21)] [Connecting to security.ubuntu.com (2001:67c:1560:8001::11)]^C
It doesn't work.它不起作用。 First when i would manually set the proxy envs inside the container it works首先,当我在容器内手动设置代理环境时,它可以工作
root@my-shell2-66df6fcdf4-4jhc8:/# export http_proxy=http://d050alapi138:3128
root@my-shell2-66df6fcdf4-4jhc8:/# export https_proxy=$http_proxy
root@my-shell2-66df6fcdf4-4jhc8:/# apt-get update
Get:1 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic/universe Sources [11.5 MB]
0% [3 InRelease gpgv 74.6 kB] [4 Sources 0 B/11.5 MB 0%] [Waiting for headers]^C
Maybe this helps to understand my problem.也许这有助于理解我的问题。
2 个解决方案
解决方案1
0 2018-08-16 10:46:54
You can try to use the common solution called "Kubernetes behind the corporate proxy."您可以尝试使用称为“企业代理背后的 Kubernetes”的通用解决方案。
First, you need to add proxy settings to Docker on all Nodes to allow it downloading images.首先,您需要为所有节点上的 Docker 添加代理设置,以允许其下载图像。 Create or modify /etc/systemd/system/docker.service.d/http-proxy.conf file with the following lines (of course, you need to change addresses, ports, and networks in the following example):使用以下几行创建或修改/etc/systemd/system/docker.service.d/http-proxy.conf文件(当然,以下示例中需要更改地址、端口和网络):
For HTTP proxy:
对于 HTTP 代理:[Service] Environment="HTTP_PROXY=<http://proxy.example.com>:<proxy_port>/" "NO_PROXY=localhost,127.0.0.1,<docker-registry.somecorporation.com>"For HTTPS proxy
对于 HTTPS 代理[Service] Environment="HTTPS_PROXY=<https://proxy.example.com>:<proxy_port>/" "NO_PROXY=localhost,127.0.0.1,<docker-registry.somecorporation.com>"
Then, you need to restart the Docker daemon:然后,您需要重新启动 Docker 守护进程:
systemctl daemon-reload
systemctl restart docker
Second, you need to add a proxy setting on all your Nodes into .bashrc to forward required traffic from these Nodes to the proxy.其次,您需要将所有节点上的代理设置添加到.bashrc以将所需流量从这些节点转发到代理。 Here is the example:这是示例:
export http_proxy=<http://proxy.example.com>:<proxy_port>/
export HTTP_PROXY=$http_proxy
export https_proxy=<https://proxy.example.com>:<proxy_port>/
export HTTPS_PROXY=$http_proxy
printf -v lan '%s,' localip_of_machine
printf -v pool '%s,' 192.168.0.{1..253}
printf -v service '%s,' 10.96.0.{1..253}
export no_proxy="${lan%,},${service%,},${pool%,},127.0.0.1";
export NO_PROXY=$no_proxy
Also, you need to use your own settings for http_proxy, https_proxy, and no_proxy.此外,您需要使用自己的 http_proxy、https_proxy 和 no_proxy 设置。
For more information, you can visit the following links:有关更多信息,您可以访问以下链接:
解决方案2
0 2021-02-06 04:51:50
Setting of proxy inside /etc/systemd/system/docker.service.d/http-proxy.conf , is proxy setting for Docker.在/etc/systemd/system/docker.service.d/http-proxy.conf设置代理,是 Docker 的代理设置。
What you need to set the proxy for inside running container.您需要为内部运行的容器设置代理。 As you mentioned, after you export http proxy inside container, the connection works.正如您所提到的,在容器内导出 http 代理后,连接有效。
You need to create inside home directory, so that it will auto export http proxy inside container.您需要在主目录内创建,以便它会在容器内自动导出 http 代理。
~/.docker/config.json
{
"proxies": {
"default": {
"httpProxy": "<http://proxy.example.com>:<proxy_port>",
"httpsProxy": "<https://proxy.example.com>:<proxy_port>",
"noProxy": "${lan%,},${service%,},${pool%,},127.0.0.1"
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.