Kubernetes 对具有 IP 白名单的外部端点的出站调用
[英]Kubernetes outbound calls to an external endpoint with IP whitelisting
问题描述
We are using Kubernetes on google cloud's Google Kubernetes Engine.
我们在 google cloud 的 Google Kubernetes Engine 上使用 Kubernetes。 Our system dynamically generates instances based on request and these instances call an external web service.我们的系统根据请求动态生成实例,这些实例调用外部 Web 服务。 The external service generates images and the bandwidth usage per instance is not small.外部服务生成图像,每个实例的带宽使用量不小。
This external web service has an IP whitelisting configured.此外部 Web 服务已配置 IP 白名单。
Is there any way that I can funnel all the requests going from the selected pods (they are grouped within a node pool) to the external service with a single IP?有什么方法可以将来自选定 Pod(它们在节点池中分组)的所有请求集中到具有单个 IP 的外部服务?
1 个解决方案
解决方案1
2 已采纳 2019-12-24 13:40:14
The answer is Yes , there are actually several ways one can achieve this.答案是Yes ,实际上有几种方法可以实现这一目标。 I will answer a simple way to get this done.我将回答一个简单的方法来完成这项工作。 By tunnelling through a proxy server.通过代理服务器建立隧道。
It could also be done assigning external ips to all your nodes and allowing them from webservice, but many engineers don't prefer doing it because no one wants to expose the nodes to the external world for a million security reasons.也可以将外部 ip 分配给所有节点并允许它们来自 Web 服务,但许多工程师不喜欢这样做,因为没有人愿意出于一百万个安全原因将节点暴露给外部世界。
Add a separate very small may be nano VM within the same cluster and install a HAProxy or Nginx or your favourite proxy.在同一个集群中添加一个单独的非常小的可能是 nano 虚拟机,并安装一个HAProxy或Nginx或您最喜欢的代理。 Or install the proxy on one of the instances you already have but make sure it has external ip attached to it, and it should be inside your cluster in order to reduce any latency issues.或者在您已经拥有的实例之一上安装代理,但确保它附加了外部 ip,并且它应该在您的集群内以减少任何延迟问题。
Now bind the url in the proxy to accept connection to a particular port and route them to your instance that has your external webservice.现在绑定代理中的 url 以接受到特定端口的连接,并将它们路由到具有外部 Web 服务的实例。 This is an example of HAProxy code how it would look like.这是 HAProxy 代码的示例。
listen port_2020
bind :2020
mode tcp
server external-web-service externalwebservice.mycompany.com:443 check
After the completion of this setup.完成此设置后。 Let's assume your k8s is running masters at 10.0.1.0/24 and nodes at 10.0.2.0/24 .让我们假设你的K8S运行在大师10.0.1.0/24在和节点10.0.2.0/24 。 And added this addition proxy service somewhere at 10.10.1.101/32 with an external ip of 52.*.*.* with in the same VPC.并在10.10.1.101/32某处添加了此附加代理服务,外部 ip 为52.*.*.*并在同一 VPC 中。 Now all you have to do is open communication on 10.10.1.101 to accept communications to port 2020 from 10.0.2.0/24 .现在您所要做的就是在10.10.1.101上打开通信以接受从10.0.2.0/24到port 2020通信。
Now your pods have to keep polling 10.10.1.101:2020/api/health/check instead of external webservice directly.现在您的 pod 必须继续轮询10.10.1.101:2020/api/health/check而不是直接轮询外部网络服务。
And now you can waitlist just the proxy vm ip 52.*.*.* on your webservice vm without any issues.现在您可以在您的网络服务虚拟机上仅将代理虚拟机 ip 52.*.*.*列入候补名单,而不会出现任何问题。
This is just an example of how it could be done.这只是如何完成的一个例子。 But there are several approaches to get this done.但是有几种方法可以做到这一点。 There are many advanced ways of doing this using a sidecar as well.使用 sidecar 也有许多高级方法可以做到这一点。
Hope this is helpful.希望这是有帮助的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.