[英]kubernetes: set Https on LoadBalancer service
I've read everywhere that to set Https to access a kubernetes cluster you need to have an Ingress and not simply a LoadBalancer service which also exposes the cluster outside.我到处读到要设置 Https 以访问 kubernetes 集群,您需要有一个 Ingress而不仅仅是一个 LoadBalancer 服务,它也会将集群暴露在外部。
My question is pretty theoretical: if an Ingress (and it is) is composed of a LoadBalancer service, a Controller (a deployment/pod of an nginx image for example) and a set of Rules (in order to correctly proxy the incoming requests inside the cluster), why can't we set Https in front of a LoadBalancer instead of an Ingress ?我的问题非常理论化:如果一个 Ingress(它是)由一个LoadBalancer服务、一个Controller (例如 nginx 图像的部署/pod)和一组规则(为了正确代理里面的传入请求)组成集群),为什么我们不能在 LoadBalancer 而不是 Ingress 前面设置 Https ?
As title of exercise I've built the three components separately by myself (a LoadBalancer, a Controller/API Gateway with some Rules): these three together already get the incoming requests and proxy them inside the cluster according to specific rules so, I can say, I have built an Ingress by myself.作为练习的标题,我自己分别构建了三个组件(一个 LoadBalancer,一个带有一些规则的控制器/API 网关):这三个组件已经一起获取传入请求并根据特定规则在集群内代理它们,所以,我可以比如说,我自己建立了一个 Ingress。 Can't I add https to this structure and do I need to set a redundant part (a k8s Ingress) in front of the cluster?我不能将 https 添加到这个结构中,我需要在集群前面设置一个冗余部分(一个 k8s Ingress)吗?
Not sure if I fully understood your question.不确定我是否完全理解你的问题。
In Kubernetes
you are exposing you cluster/application using service , which is well described here .在Kubernetes
中,您正在使用服务公开您的集群/应用程序, 这里对此进行了很好的描述。 Good compare of all services
can be found in this article .可以在本文中找到所有services
的良好比较。
When you are creating service type LoadBalancer
it creates L4 LoadBalancer
.当您创建服务类型LoadBalancer
时,它会创建L4 LoadBalancer
。 L4 is aware of information like source IP:port
and destination IP:port
, but don't have any information about application layer (Layer 7). L4知道诸如source IP:port
和destination IP:port
之类的信息,但没有关于应用层(第 7 层)的任何信息。 HTTP/HTTPS LoadBalancers
are on Layer 7, so they are aware of application. HTTP/HTTPS LoadBalancers
位于第 7 层,因此它们了解应用程序。 More information about Load Balancing can be found here .可以在此处找到有关负载平衡的更多信息。
Layer 4-based load balancing to direct traffic based on data from network and transport layer protocols, such as IP address and TCP or UDP port基于第 4 层的负载均衡,可根据来自网络和传输层协议的数据(例如 IP 地址和 TCP 或 UDP 端口)引导流量
Layer 7-based load balancing to add content-based routing decisions based on attributes, such as the HTTP header and the uniform resource identifier基于第 7 层的负载均衡添加基于属性的基于内容的路由决策,例如 HTTP header 和统一资源标识符
Ingress is something like LoadBalancer
with L7 support. Ingress类似于具有 L7 支持的LoadBalancer
。
The Ingress is a Kubernetes resource that lets you configure an HTTP load balancer for applications running on Kubernetes, represented by one or more Services. Ingress 是一个 Kubernetes 资源,允许您为在 Kubernetes 上运行的应用程序配置 HTTP 负载均衡器,由一个或多个服务表示。 Such a load balancer is necessary to deliver those applications to clients outside of the Kubernetes cluster.这样的负载平衡器对于将这些应用程序交付给 Kubernetes 集群之外的客户端是必需的。
Ingress
also provides many advantages. Ingress
还提供了许多优点。 For example if you have many services in your cluster you can create one LoadBalancer
and Ingress
which will be able to redirect traffic to proper service and allows you to cut costs of creating a few LoadBalancers
.例如,如果您的集群中有许多服务,您可以创建一个LoadBalancer
和Ingress
,这将能够将流量重定向到适当的服务,并允许您降低创建几个LoadBalancers
的成本。
In order for the Ingress
resource to work, the cluster must have an ingress controller
running.为了使Ingress
资源正常工作,集群必须运行一个ingress controller
。
The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. Ingress controller是一个集群运行的应用,根据Ingress资源配置一个HTTP负载均衡器。 The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally.负载均衡器可以是在集群中运行的软件负载均衡器,也可以是在外部运行的硬件或云负载均衡器。 Different load balancers require different Ingress controller implementations.不同的负载均衡器需要不同的 Ingress controller 实现。 In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer.对于 NGINX,Ingress controller 与负载均衡器一起部署在 Pod 中。
There are many Ingress Controllers , but the most popular is Nginx Ingress Controller
Ingress Controller有很多,但最受欢迎的是Nginx Ingress Controller
So my answer regarding:所以我的回答是:
why can't we set Https in front of a LoadBalancer instead of an Ingress?为什么我们不能在 LoadBalancer 而不是 Ingress 前面设置 Https?
It's not only about securing your cluster using HTTPS but also many capabilities and features which Ingress provides.这不仅涉及使用 HTTPS 保护您的集群,还涉及 Ingress 提供的许多功能和特性。
Very good documentation regarding HTTP(S) Load Balancing can be found on GKE Docs .可以在GKE Docs上找到关于 HTTP(S) 负载平衡的非常好的文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.