[英]How can we expose Kubernetes services to the public in AWS without using LoadBalancers?
I'm Running a Kubernetes cluster on AWS
using Kops
for the first time and I need some help in exposing the services to the public with an AWS managed domain name and an SSL certificate. 我是第一次使用Kops
在AWS
上运行Kubernetes集群,我需要一些帮助,以使用AWS托管域名和SSL证书向公众公开服务。
The cluster is running in a private VPC and I can access it through a bastion instance. 群集在私有VPC中运行,我可以通过堡垒实例进行访问。
Right now I'm exposing the services to the public using LoadBalancer service type as follow: 现在,我将使用LoadBalancer服务类型向公众公开这些服务,如下所示:
apiVersion: v1
kind: Service
metadata:
name: my-gateway-service
namespace: {{ .Values.nameSpace }}
labels:
app: gateway
tier: backend
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'
service.beta.kubernetes.io/aws-load-balancer-ssl-port: '{{ .Values.services.sslPort }}'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: '{{ .Values.services.sslCert }}'
spec:
type: LoadBalancer
selector:
app: gateway
tier: backend
ports:
- name: http
port: 80
targetPort: {{ .Values.applications.nodeAppPort }}
- name: https
port: 443
targetPort: {{ .Values.applications.nodeAppPort }}
as you can see I'm passing the SSL certificate using annotations then I will just point the domain name to loadBalancer public ingress and done. 如您所见,我正在使用批注传递SSL证书,然后将域名指向loadBalancer公共入口并完成。
The Problem: This Project is a micro-services project and requires a lot of services to be exposed to the public in different environments which means a lot of AWS LoadBalancers
and a lot of Money $$$$. 问题:该项目是一个微服务项目,需要在不同环境中向公众公开大量服务,这意味着需要大量AWS LoadBalancers
和大量Money $$$$。
I've tried NodePort and ExternalName services but none of them worked because of the private VPC. 我已经尝试了NodePort和ExternalName服务,但是由于私有VPC,它们都不起作用。
Any suggestions to overcome this problem? 有什么建议可以解决这个问题?
Look into Ingress Controllers . 研究入口控制器 。 It's basically an nginx instance that's configured programmatically via annotations. 它基本上是一个通过注解以编程方式配置的nginx实例。 There are several others available too (eg, kong) 也有其他几种可用(例如,kong)
To solve this, you can point your LoadBalancer
to a "reverse-proxy" service such as an NGINX instance or Istio's Gateway ( https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Gateway ), the Ingress controller and other options. 为了解决这个问题,您可以将您的LoadBalancer
指向“反向代理”服务,例如NGINX实例或Istio的网关( https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Gateway ),入口控制器和其他选项。
That way when you hit https://[your_service_url]/[path]
you can build rules which route to the correct internal service in Kubernetes based on the actual values of your_service_url
or path
. 这样,当您点击https://[your_service_url]/[path]
您可以根据your_service_url
或path
的实际值来构建路由到Kubernetes中正确内部服务的规则。
That way you only pay for 1 Load Balancer, but can host many services in the cluster. 这样,您只需支付1个Load Balancer,即可在群集中托管许多服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.