简体繁体 English

通过负载均衡器 ip 从 kubernetes pod 发送请求

[英]send request from kubernetes pods through load balancer ip

原文 2020-01-08 15:07:19 6 4 kubernetes/ ip/ load-balancing/ digital-ocean/ traefik

I have a k8s cluster on DigitalOcean using traefik 1.7 as Ingress Controller.我在DigitalOcean上有一个 k8s 集群，使用traefik 1.7 作为入口控制器。 our domain point to the load balancer ip created by trafik .我们的域指向由trafik创建的负载均衡器 ip。

All incomming request go through load balancer ip and be routed by trafik to proper service.所有传入请求都通过负载均衡器 ip 并由trafik路由到适当的服务。

Now I want to perform HTTP requests from my services to an external system which only accepts registered IPs.现在我想从我的服务到只接受注册 IP 的外部系统执行 HTTP 请求。

Can I provide them load balancer's IP and make all outbound requests go through load balancer IP?我可以向他们提供负载均衡器的 IP 并使所有出站请求都通过负载均衡器 IP 吗？ or I need to provide them all node's public IPs?或者我需要向他们提供所有节点的公共 IP？

thanks谢谢

4 个解决方案

You can do either of them.你可以做其中任何一个。

But the best solution to this would be to make all the traffic go through load balancer assuming this is some proxy server with tunnelling capabilities and open comms through load balancer IP on your external system.但最好的解决方案是让所有流量通过负载均衡器，假设这是一些具有隧道功能的代理服务器，并通过外部系统上的负载均衡器 IP 打开通信。 Because, imagine, right now you might be having a dozen of nodes running 100 micro services and now you opened your external system security group to allow traffic from dozen.因为，想象一下，现在您可能有十几个节点运行 100 个微服务，而现在您打开了外部系统安全组以允许来自十几个的流量。

But in next few months you might go from 12 to 100 nodes and the overhead of updating your external system's security group whenever you add a node in DigitalOcean.但是在接下来的几个月中，每当您在 DigitalOcean 中添加一个节点时，您可能会从 12 个节点增加到 100 个节点以及更新外部系统安全组的开销。

But you can also try a different approach by adding a standalone proxy server and route traffic through it from your pods.但是您也可以尝试不同的方法，添加一个独立的代理服务器并从您的 pod 路由流量。 Something like [this] ( Kubernetes outbound calls to an external endpoint with IP whitelisting ).类似于 [this]（ Kubernetes 出站呼叫到具有 IP 白名单的外部端点）。

Just a note, it's not just these options there are several ways one can achieve this, one another approach would be associating a NAT IP to all your nodes and keeping every node behind a private network would also work.请注意，不仅仅是这些选项，有多种方法可以实现这一点，另一种方法是将 NAT IP 与所有节点相关联，并将每个节点保持在专用网络之后也可以。 It all depends on how you want to set it up and the purpose of the system you are planning to achieve.这完全取决于您想如何设置它以及您计划实现的系统的目的。

Hope this helps.希望这可以帮助。

Unfortunately, Ingress resources can't use outbound requests.不幸的是，Ingress 资源不能使用出站请求。 So you need to provide all nodes public IPs.所以你需要提供所有节点的公共IP。

Another idea, if you use a forward proxy(eg nginx, haproxy), you can limit the nodes where forward proxy pods are scheduled by setting nodeSelector.另一个想法，如果您使用转发代理（例如 nginx、haproxy），您可以通过设置 nodeSelector 来限制调度转发代理 pod 的节点。 By doing so, I think you can limit the nodes that provide public IP addresses.通过这样做，我认为您可以限制提供公共 IP 地址的节点。

Egress packets from a k8s cluster to cluster-external services have node's IP as the source IP.从 k8s 集群到集群外部服务的出口数据包以节点的 IP 作为源 IP。 So, you can register k8s nodes' IPs in the external system to allow egress packets from the k8s cluster.因此，您可以在外部系统中注册 k8s 节点的 IP，以允许来自 k8s 集群的出口数据包。

https://kubernetes.io/docs/tutorials/services/source-ip/ says egress packets from k8s get source NAT'ed with node's IP: https://kubernetes.io/docs/tutorials/services/source-ip/说来自 k8s 的出口数据包使用节点的 IP 进行源 NAT：

Source NAT : replacing the source IP on a packet, usually with a node's IP 源 NAT ：替换数据包上的源 IP，通常使用节点的 IP

Following can be used to send egress packets from a k8s cluster:以下可用于从 k8s 集群发送出口数据包：

kube-static-egress-ip provides a solution with which a cluster operator can define an egress rule where a set of pods whose outbound traffic to a specified destination is always SNAT'ed with a configured static egress IP. kube-static-egress-ip提供了一种解决方案，集群操作员可以通过该解决方案定义出口规则，其中一组 pod 的出站流量到指定目的地始终使用配置的静态出口 IP 进行 SNAT。 kube-static-egress-ip provides this functionality in Kubernetes native way using custom rerources. kube-static-egress-ip 使用自定义资源以 Kubernetes 本机方式提供此功能。