[英]Expose GKE mongo with access control to Internet
I am now trying to implement the new system. 我现在正在尝试实施新系统。 My system will be divided into 2 clusters.
我的系统将分为2个集群。 First is for computing job.
首先是计算工作。 It will be heavily change by CI/CD very frequent.
CI / CD将非常频繁地对其进行重大更改。 Then to prevent it from my juniors's accident and also save cost.
然后防止它发生在我大三生的事故中,还节省了成本。 Because on computer node does not need to use
100GB
like database
因为在计算机节点上不需要使用
database
100GB
Now. 现在。 I am setting up my
mongo-replicaset
using helm
. 我正在使用
helm
设置我的mongo-replicaset
机。 My configuration works fine. 我的配置正常。 Here is my terminal log during the installation.
这是我在安装过程中的终端日志。
Install with 100GB
per each node. 每个节点安装
100GB
。 They are 3 nodes. 它们是3个节点。
$ gcloud container clusters create elmo --disk-size=100GB --enable-cloud-logging --enable-cloud-monitoring
I have changed username and password in the values.yaml
我已在
values.yaml
更改了用户名和密码
mongodbUsername: myuser
mongodbPassword: mypassword
However, when I jump in to the pod. 但是,当我跳到吊舱中时。 It does not require me to do any authentication.
它不需要我进行任何身份验证。 I can execute
show dbs
我可以执行
show dbs
$ kubectl exec -it ipman-mongodb-replicaset-0 mongo
MongoDB shell version v4.0.6
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("966e85fd-8857-46ac-a2a4-a8b560e37104") }
MongoDB server version: 4.0.6
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
2019-03-20T12:15:51.266+0000 I STORAGE [main] In File::open(), ::open for '//.mongorc.js' failed with Unknown error
Server has startup warnings:
2019-03-20T11:36:03.768+0000 I STORAGE [initandlisten]
2019-03-20T11:36:03.768+0000 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2019-03-20T11:36:03.768+0000 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2019-03-20T11:36:05.082+0000 I CONTROL [initandlisten]
2019-03-20T11:36:05.082+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-03-20T11:36:05.082+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2019-03-20T11:36:05.083+0000 I CONTROL [initandlisten]
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).
The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.
To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
rs0:PRIMARY> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
I can see 2 services running mongodb-replicaset
我可以看到2个运行
mongodb-replicaset
服务
$ kubectl describe svc ipman-mongodb-replicaset
Name: ipman-mongodb-replicaset
Namespace: default
Labels: app=mongodb-replicaset
chart=mongodb-replicaset-3.9.2
heritage=Tiller
release=ipman
Annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: true
Selector: app=mongodb-replicaset,release=ipman
Type: ClusterIP
IP: None
Port: mongodb 27017/TCP
TargetPort: 27017/TCP
Endpoints: 10.60.1.5:27017,10.60.2.7:27017,10.60.2.8:27017
Session Affinity: None
Events: <none>
$ kubectl describe svc ipman-mongodb-replicaset-client
Name: ipman-mongodb-replicaset-client
Namespace: default
Labels: app=mongodb-replicaset
chart=mongodb-replicaset-3.9.2
heritage=Tiller
release=ipman
Annotations: <none>
Selector: app=mongodb-replicaset,release=ipman
Type: ClusterIP
IP: None
Port: mongodb 27017/TCP
TargetPort: 27017/TCP
Endpoints: 10.60.1.5:27017,10.60.2.7:27017,10.60.2.8:27017
Session Affinity: None
Events: <none>
I have seen here and here . 我见过这里和这里 。 I have 3 IP address.
我有3个IP地址。 Which one should I use?
我应该使用哪一个?
I think LoadBalancer
might not fit to my need because it is normally use with backend
service to balance load between nodes. 我认为
LoadBalancer
可能不适合我的需求,因为它通常与backend
服务一起使用以平衡节点之间的负载。 For my case. 就我而言。 It is
master
to do writing and replica
to do reading. 做写作和
replica
做阅读是master
。
$ gcloud compute instances list
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
gke-elmo-default-pool-c5dc6e86-1j8v asia-southeast1-a n1-standard-1 10.148.0.59 35.197.148.201 RUNNING
gke-elmo-default-pool-c5dc6e86-5hs4 asia-southeast1-a n1-standard-1 10.148.0.57 35.198.217.71 RUNNING
gke-elmo-default-pool-c5dc6e86-wh0l asia-southeast1-a n1-standard-1 10.148.0.58 35.197.128.107 RUNNING
Question: 题:
Why my username:password
does not take in to account when do authentication? 为什么我的
username:password
在进行身份验证时不被考虑?
How can I expose my mongo
shell and let client comes from internet use my database server by using 我如何暴露我的
mongo
shell并让来自Internet的客户端通过使用我的数据库服务器
mongo -u <user> -p <pass> --host kluster.me.com --port 27017
I have checked with the helm chart
document. 我已经检查了
helm chart
文件。 I am worry that I am using k8s
in the wrong way. 我担心我以错误的方式使用
k8s
。 Therefore I decided to ask in here. 因此,我决定在这里询问。
I cannot answer about the password issue, but using a separate cluster for your DB might not be the best option. 我无法回答密码问题,但是为数据库使用单独的群集可能不是最佳选择。 By creating a separate cluster you are forced to expose your sensitive database to the world.
通过创建单独的集群,您不得不将敏感数据库公开。 This is not ideal.
这是不理想的。
I recommend you deploy your mongo on your existing cluster. 我建议您在现有群集上部署mongo。 This way you can have your computing workloads connect to your mongo simply by using the service name as the hostname.
这样,您只需将服务名称用作主机名,即可将计算工作负载连接到mongo。
If you need bigger drive for your mongo, simply use persistence disk and specify the size when you create your mongo installation using helm. 如果您的mongo需要更大的驱动器,则在使用helm创建mongo安装时,只需使用持久性磁盘并指定大小即可。
For example: 例如:
helm install mongo-replicaset --name whatever --set persistentVolume.size=100Gi
In your values.yaml
file, you have a section called persistence
when it should be called persistentVolume
. 在
values.yaml
文件中,当应将其称为persistentVolume
时,有一个名为persistence
的部分。
I recommend that your values.yaml
only contains the values you want to change and not everything. 我建议您的
values.yaml
仅包含要更改的值, values.yaml
包含所有内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.