如何限制来自kubernetes内部pod的外部服务中的源IP
[英]how to limit source IP in a outside service that requests come from a pod inside kubernetes
问题描述
let's say I have a mysql service, on this vm, I want limit source ip through iptables, but sources are come from kubernetes pod, is there a way to achieve this goal? 
假设我有一个mysql服务,在这个vm上,我想通过iptables限制源ip,但是源来自kubernetes pod,有没有办法实现这个目标? let some pods can reach mysql, other pods can't. 让某些Pod可以到达mysql,而其他Pod则不能。
btw, all my services' type in kubernetes cluster are clusterIP 顺便说一句,我在kubernetes集群中所有服务的类型都是clusterIP
I know I can do some network policy inside kubernetes cluster, but in DBAs view, 我知道我可以在kubernetes集群中执行一些网络策略,但是在DBA视图中,
it's your business, I can't believe you, I'll do my rules through iptables.
- kubernetes version: 1.13.4 kubernetes版本:1.13.4
- kube proxy mode: ipvs kube代理模式:ipvs
- overlay network: calico 覆盖网络:印花布
- ingress-controller: nginx 入口控制器:nginx
2 个解决方案
解决方案1
0 2019-03-31 06:50:22
Define network policy rules on mysql pod. 在mysql pod上定义网络策略规则。 With network policy you can control the traffic to mysql pod from a specific pod or namespace 使用网络策略,您可以控制从特定Pod或命名空间到mysql Pod的流量
解决方案2
0 2019-05-23 08:11:05
Try to define two kind of Kubernetes services, add ExternalIP to them and later accordingly to your preferences block ExternalIP (which is assign to service which expose deployment or pod you do not want to accept connection from using iptables to access your database or properly accept this connection. 尝试定义两种Kubernetes服务,将它们添加到外部服务中,然后将其添加到您的首选项块外部IP中(将其分配给服务,该服务公开您不想接受连接的部署或pod使用iptables访问数据库或正确接受此服务)连接。
For example : 例如 :
For pods you want to accept connection: 对于Pod,您要接受连接:
Label this pods:
标记此吊舱: $ kubectl label pod test app=MyApp --namespace developmentDefine service for them wich appropriate selector corresponding label which you add to pod
通过添加到pod的适当选择器对应标签为他们定义服务
apiVersion: v1 kind: Service metadata: name: my-service spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 externalIPs: - 80.11.12.10
Create it:
创造它: $ kubectl create -f service.yaml --namespace developmentYou can also patch service with externaiIP instead of adding it in configuration file.
您也可以使用externaiIP修补服务,而不是将其添加到配置文件中。 Execute command from MySQL to allow connection between pods
从MySQL执行命令以允许Pod之间的连接 $ iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source xxxx -p tcp --dport 80 -j ACCEPT
xxxx is externalIP xxxx是外部IP
Remeber to create service in appropraite namespace when your pods are deployed. 部署Pod时,请记住在适当的名称空间中创建服务。
For pods you do not want to reject connection: 对于Pod,您不想拒绝连接:
Label this pods:
标记此吊舱: $ kubectl label pod egg app=test --namespace developmentDefine service for them wich appropriate selector corresponding label which you add to pod
通过添加到pod的适当选择器对应标签为他们定义服务
apiVersion: v1 kind: Service metadata: name: example1-service spec: selector: app: test ports: - name: http protocol: TCP port: 80 targetPort: 9376 externalIPs: - yyyy
Create it:
创造它: $ kubectl create -f service.yaml --namespace developmentYou can also patch service with externaiIP instead of adding it in configuration file.
您也可以使用externaiIP修补服务,而不是将其添加到配置文件中。 Execute command from MySQL to allow connection between pods
从MySQL执行命令以允许Pod之间的连接 $ iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source yyyy -p tcp -- dport 80 -j DROP
yyyy is externalIP yyyy是externalIP
I hope this helps. 我希望这有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.