kubernetes NodePort vs ClusterIP with Nginx-Ingress
[英]kubernetes NodePort vs ClusterIP with Nginx-Ingress
问题描述
I've got my own microservice and till now I've been exposing the service with type: NodePort along with nginx-ingress helm chart to my own Public IP with https;
我有自己的微服务,到目前为止,我一直在向我自己的公共 IP 和 https 公开服务type: NodePort和nginx-ingress helm chart; I've noticed when running linter on my microservice helm chart that it's not safe (to use NodePort) and I should be using ClusterIP - could someone explain why?在我的微服务舵图上运行 linter 时,我注意到它不安全(使用 NodePort),我应该使用 ClusterIP - 有人可以解释为什么吗?
2 个解决方案
解决方案1
2 已采纳 2020-04-28 10:04:32
If your cluster is set up so that the worker nodes are directly accessible from outside the cluster, then anything you have set as a NodePort-type service will be accessible too.如果您的集群设置为可以从集群外部直接访问工作节点,那么您设置为 NodePort 类型服务的任何内容也都可以访问。 In particular, this means that http://any-node.k8s.example.com:32345/ could reach your back-end service, bypassing any controls that you've set up in the ingress layer.特别是,这意味着http://any-node.k8s.example.com:32345/可以绕过您在入口层中设置的任何控件到达您的后端服务。 You generally don't want that.你通常不希望那样。
A reasonable approach here (and probably what your linter is encouraging) is to use NodePort or LoadBalancer-type services only for your ingress service.这里的一种合理方法(可能是您的 linter 鼓励的方法)是仅将 NodePort 或 LoadBalancer 类型的服务用于您的入口服务。 Anything else should register itself with that ingress service (using a native Kubernetes Ingress object, or an Istio VirtualService, or...) but have ClusterIP-type services for intra-cluster access.其他任何东西都应该向该入口服务注册(使用本机 Kubernetes 入口 object,或 Istio VirtualService,或...),但具有用于集群内访问的 ClusterIP 类型的服务。
+------------+ NP +---------+ CIP +-------------+
---> | (any node) | ---> | ingress | ---> | application |
+------------+ +---------+ +-------------+
|__________________________^
a NodePort application service would allow this path
(bypassing the ingress)
解决方案2
1 2020-04-28 10:17:45
From security standpoint the ingress controller(nginx for example) only need to be exposed outside the cluster.从安全的角度来看,入口控制器(例如 nginx)只需要暴露在集群之外。 This can be done either via NodePort or LoadBalancer or even running the ingress controller in the host network of some dedicated kubernetes nodes with public IPs.这可以通过 NodePort 或 LoadBalancer 完成,甚至可以在一些具有公共 IP 的专用 kubernetes 节点的主机网络中运行入口 controller。 So any north-south traffic coming into the cluster from outside the cluster will have to passthrough the ingress controller.Any front facing services(a nodejs frontend app for example) should be exposed outside the cluster via ingress resource only to make sure any WAF, or TLS enforcement policy can be implemented at ingress controller.因此,任何从集群外部进入集群的南北流量都必须通过入口 controller。任何前端服务(例如 nodejs 前端应用程序)都应该通过入口资源暴露在集群外部,以确保任何 WAF,或 TLS 强制策略可以在入口 controller 实施。 For east-west traffic between the front facing service and backend micro services within the cluster clusterIP service is recommended.对于集群内的前端服务和后端微服务之间的东西向流量,推荐使用clusterIP服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.