kubernetes:在 LoadBalancer 服务上设置 Https
[英]kubernetes: set Https on LoadBalancer service
问题描述
I've read everywhere that to set Https to access a kubernetes cluster you need to have an Ingress and not simply a LoadBalancer service which also exposes the cluster outside.
我到处读到要设置 Https 以访问 kubernetes 集群,您需要有一个 Ingress而不仅仅是一个 LoadBalancer 服务,它也会将集群暴露在外部。
My question is pretty theoretical: if an Ingress (and it is) is composed of a LoadBalancer service, a Controller (a deployment/pod of an nginx image for example) and a set of Rules (in order to correctly proxy the incoming requests inside the cluster), why can't we set Https in front of a LoadBalancer instead of an Ingress ?我的问题非常理论化:如果一个 Ingress(它是)由一个LoadBalancer服务、一个Controller (例如 nginx 图像的部署/pod)和一组规则(为了正确代理里面的传入请求)组成集群),为什么我们不能在 LoadBalancer 而不是 Ingress 前面设置 Https ?
As title of exercise I've built the three components separately by myself (a LoadBalancer, a Controller/API Gateway with some Rules): these three together already get the incoming requests and proxy them inside the cluster according to specific rules so, I can say, I have built an Ingress by myself.作为练习的标题,我自己分别构建了三个组件(一个 LoadBalancer,一个带有一些规则的控制器/API 网关):这三个组件已经一起获取传入请求并根据特定规则在集群内代理它们,所以,我可以比如说,我自己建立了一个 Ingress。 Can't I add https to this structure and do I need to set a redundant part (a k8s Ingress) in front of the cluster?我不能将 https 添加到这个结构中,我需要在集群前面设置一个冗余部分(一个 k8s Ingress)吗?
1 个解决方案
解决方案1
2 已采纳 2020-06-03 16:13:04
Not sure if I fully understood your question.不确定我是否完全理解你的问题。
In Kubernetes you are exposing you cluster/application using service , which is well described here .在Kubernetes中,您正在使用服务公开您的集群/应用程序, 这里对此进行了很好的描述。 Good compare of all services can be found in this article .可以在本文中找到所有services的良好比较。
When you are creating service type LoadBalancer it creates L4 LoadBalancer .当您创建服务类型LoadBalancer时,它会创建L4 LoadBalancer 。 L4 is aware of information like source IP:port and destination IP:port , but don't have any information about application layer (Layer 7). L4知道诸如source IP:port和destination IP:port之类的信息,但没有关于应用层(第 7 层)的任何信息。 HTTP/HTTPS LoadBalancers are on Layer 7, so they are aware of application. HTTP/HTTPS LoadBalancers位于第 7 层,因此它们了解应用程序。 More information about Load Balancing can be found here .可以在此处找到有关负载平衡的更多信息。
Layer 4-based load balancing to direct traffic based on data from network and transport layer protocols, such as IP address and TCP or UDP port
Layer 7-based load balancing to add content-based routing decisions based on attributes, such as the HTTP header and the uniform resource identifier
Ingress is something like LoadBalancer with L7 support. Ingress类似于具有 L7 支持的LoadBalancer 。
The Ingress is a Kubernetes resource that lets you configure an HTTP load balancer for applications running on Kubernetes, represented by one or more Services.
Ingress also provides many advantages. Ingress还提供了许多优点。 For example if you have many services in your cluster you can create one LoadBalancer and Ingress which will be able to redirect traffic to proper service and allows you to cut costs of creating a few LoadBalancers .例如,如果您的集群中有许多服务,您可以创建一个LoadBalancer和Ingress ,这将能够将流量重定向到适当的服务,并允许您降低创建几个LoadBalancers的成本。
In order for the Ingress resource to work, the cluster must have an ingress controller running.为了使Ingress资源正常工作,集群必须运行一个ingress controller 。
The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources.
There are many Ingress Controllers , but the most popular is Nginx Ingress Controller Ingress Controller有很多,但最受欢迎的是Nginx Ingress Controller
So my answer regarding:所以我的回答是:
why can't we set Https in front of a LoadBalancer instead of an Ingress?
It's not only about securing your cluster using HTTPS but also many capabilities and features which Ingress provides.这不仅涉及使用 HTTPS 保护您的集群,还涉及 Ingress 提供的许多功能和特性。
Very good documentation regarding HTTP(S) Load Balancing can be found on GKE Docs .可以在GKE Docs上找到关于 HTTP(S) 负载平衡的非常好的文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.