堆栈内存溢出
  简体   繁体   English

如何拦截对 Kubernetes 中服务的请求?

[英]How to intercept requests to a service in Kubernetes?

 原文  2020-01-27 00:06:07       kubernetes

问题描述

Let's say I define a Service named my-backend in Kubernetes.比方说,我定义了一个Servicemy-backend的Kubernetes。 I would like to intercept every request sent to this service, what is the proper way to do it?我想拦截发送到此服务的每个请求,正确的方法是什么? For example, another container under the same namespace sends a request through http://my-backend .例如,同一命名空间下的另一个容器通过http://my-backend发送请求。

I tried to use Admission Controller with a validation Webhook.我尝试将准入控制器与验证 Webhook 一起使用。 However, it can intercept the CRUD operations on service resources, but it fails to intercept any connection to a specific service.但是,它可以拦截对服务资源的 CRUD 操作,但无法拦截与特定服务的任何连接。

3 个解决方案

解决方案1
 2  2020-01-27 02:11:09

There is no direct way to intercept the requests to a service in Kubernetes.在 Kubernetes 中没有直接的方法来拦截对服务的请求。

For workaround this is what you can do-对于解决方法,这是您可以执行的操作-

  1. Create a sidecar container just to log the each incoming request.创建一个 sidecar 容器只是为了记录每个传入的请求。 logging 日志记录

  2. Run tcpdump -i eth0 -n in your containers and filter out requests在容器中运行tcpdump -i eth0 -n并过滤掉请求

  3. Use Zipkin使用Zipkin

  4. Creating service on cloud providers, will have their own logging mechanism.在云提供商上创建服务,将有自己的日志记录机制。 for ex - load balancer service on aws will have its logs generated on S3.对于前 - aws 上的负载均衡器服务将在 S3 上生成其日志。 aws elb logs aws elb 日志

解决方案2
 1  2020-01-27 02:45:59

You can use a service mesh such as istio .您可以使用服务网格,例如istio An istio service mesh deploys a envoy proxy sidecar along with every pod. istio 服务网格与每个 pod 一起部署了一个特使代理边车。 Envoy intercepts all the incoming requests to the pod and can provide you metrics such as number of requests etc. A service mesh brings in more features such as distributed tracing, rate limiting etc. Envoy 拦截所有传入 pod 的请求,并可以为您提供诸如请求数量等指标。服务网格带来了更多功能,例如分布式跟踪、速率限制等。

解决方案3
 0  2020-01-27 02:55:54

Kubernetes NetworkPolicy object will help on this. Kubernetes NetworkPolicy 对象将对此有所帮助。 A network policy controls how group of pods can communicate with each other and other network endpoints.网络策略控制 Pod 组如何相互通信以及如何与其他网络端点通信。 You can only allow the ingress traffic to the my-backend service based on pod selector.您只能根据 pod 选择器允许进入 my-backend 服务的流量。 Below is the example that will allow the ingress traffic from specific下面是允许来自特定的入口流量的示例

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: ingress-only-from-frontend-to-my-backend
   namespace: default    
spec:
   podSelector:
      matchLabels:
          <my-backend pod label>
   policyTypes:
   - Ingress
   ingress:
    - from:  
      - podSelector:
          matchLabels:
            <Frontend web pod label>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Kubernetes服务上将请求分发到Pod - How to distribute requests to pods on a Kubernetes service 如何获取 Kubernetes 中服务的请求率? - How to get rate of requests for a service in Kubernetes? 如何对 Kubernetes 服务的请求使用 Session Affinity? - How to use Session Affinity on requests to Kubernetes service? 扩展服务以响应Kubernetes上的请求 - Scaling service in response to requests on Kubernetes Kubernetes LoadBalancer 服务未负载平衡请求 - Kubernetes LoadBalancer Service not loadbalancing requests 如何在Kubernetes中对LoadBalancer类型的服务发出请求? - How do I make requests on a service of type LoadBalancer in Kubernetes? Kubernetes 服务不在 Pod 之间分发请求 - Kubernetes service does not distribute requests between pods Kubernetes http 请求从前端到后端服务 - Kubernetes http requests from frontend to backend service 如何在 Kubernetes 中公开服务? - How to expose a service in Kubernetes? kubernetes 服务是如何工作的? - how kubernetes service works?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM