有 1 个传出 IP 用于 kube.netes 出口流量
[英]Having 1 outgoing IP for kubernetes egress traffic
问题描述
Current set-up
当前设置
Cluster specs: Managed Kube.netes on Digital Ocean集群规范:Digital Ocean 上的托管 Kube.netes
Goal目标
My pods are accessing some websites but I want to use a proxy first.我的 pod 正在访问一些网站,但我想先使用代理。
Problem问题
The proxy I need to use is only taking 1 IP address in an "allow-list".我需要使用的代理只在“允许列表”中使用 1 个 IP 地址。
My cluster is using different nodes, with node-autoscaler so I have multiple and changing IP addresses.我的集群使用不同的节点,带有节点自动缩放器,所以我有多个不断变化的 IP 地址。
Solutions I am thinking about我正在考虑的解决方案
- Setting-up a proxy (squid? nginx?) outside of the cluster (Currently not working when I access an HTTPS website)在集群外设置代理(squid?nginx?)(目前访问HTTPS网站时不工作)
- Istio could let me set-up a gateway? Istio 可以让我设置网关吗? (No knowledge of Istio) (不了解 Istio)
- Use GCP managed K8s, and follow the answers on Kube.netes cluster outgoing traffic IP .使用 GCP 托管的 K8s,并遵循Kube.netes 集群传出流量 IP上的答案。 But all our stack is on Digital Ocean and the pricing is better there.但我们所有的堆栈都在 Digital Ocean 上,那里的价格更好。
I am curious to know what is the best practice, easiest solution or if anyone experienced such use-case before:)我很想知道什么是最佳实践、最简单的解决方案,或者之前是否有人遇到过这样的用例:)
Best最好
1 个解决方案
解决方案1
3 2020-08-03 15:48:35
You could set up all your traffic to go through istio-egressgateway .您可以通过istio-egressgateway 。
Then you could manipulate the istio-egressgateway to always be deployed on the same node of the cluster, and whitelist that IP address.然后你可以操纵istio-egressgateway始终部署在集群的同一节点上,并将 IP 地址列入白名单。
Pros: super easy.优点:超级简单。 BUT.但。 If you are not using Istio already, to set up Istio just for this is may be killing a mosquito with a bazooka.如果您还没有使用 Istio,那么为此设置 Istio 可能就像用火箭筒杀死蚊子一样。
Cons: Need to make sure the node doesn't change the IP address.缺点:需要确保节点不会更改 IP 地址。 Otherwise the istio-egressgateway itself might not get deployed (if you do not have the labels added to the new node), and you will need to reconfigure everything for the new node (new IP address).否则istio-egressgateway本身可能无法部署(如果您没有将标签添加到新节点),您将需要为新节点重新配置所有内容(新 IP 地址)。 Another con might be the fact that if the traffic goes up, there is an HPA, which will deploy more replicas of the gateway, and all of them will be deployed on the same node.另一个缺点可能是,如果流量上升,就会有一个 HPA,它会部署更多的网关副本,并且所有副本都将部署在同一个节点上。 So, if you are going to have lots of traffic, may be it would be a good idea to isolate one node, just for this purpose.因此,如果您要处理大量流量,隔离一个节点可能是个好主意,只是为了这个目的。
Another option would be as you are suggesting;另一种选择是你所建议的; a proxy.一个代理。 I would recommend an Envoy proxy directly.我会直接推荐 Envoy 代理。 I mean, Istio is going to be using Envoy anyways right?我的意思是,Istio 无论如何都会使用 Envoy,对吧? So, just get the proxy directly, put it in a pod, do the same thing as I mentioned before;因此,直接获取代理,将其放入 pod 中,执行与我之前提到的相同的操作; node affinity, so it will always run on the same node, so it will go out with the same IP. node affinity,所以它总是在同一个节点上运行,所以它会 go 和 IP 一样。
Pros: You are not installing entire service mesh control plane for one tiny thing.优点:您不会为一件小事安装整个服务网格控制平面。
Cons: Same as before, as you still have the issue of the node IP change if something goes wrong, plus you will need to manage your own Deployment object, HPA, configure the Envoy proxy, etc. instead of using Istio objects (like Gateway and a VirtualService ).缺点:与以前一样,如果出现问题,您仍然会遇到节点 IP 更改的问题,此外,您将需要管理自己的Deployment object、HPA、配置 Envoy 代理等,而不是使用 Istio 对象(如Gateway和一个VirtualService )。
Finally, I see a third option;最后,我看到了第三种选择; to set up a NAT gateway outside the cluster, and configure your traffic to go through it.在集群外设置一个NAT网关,并通过它配置你的流量到go。
Pros: You won't have to configure any kube.netes object, therefor there will be no need to set up any node affinity, therefor there will be no node overwhelming or IP change.优点:您无需配置任何 kube.netes object,因此无需设置任何节点关联,因此不会出现节点压倒性或 IP 变化。 Plus you can remove the external IP addresses from your cluster, so it will be more secure (unless you have other workloads that need to reach inte.net directly).另外,您可以从集群中删除外部 IP 地址,这样会更安全(除非您有其他工作负载需要直接访问 inte.net)。 Also, probably having a single node configured as NAT will be more resilient then a kube.netes pod, running in a node.此外,可能将单个节点配置为 NAT 将比在节点中运行的 kube.netes pod 更具弹性。
Cons: May be a little bit more complicate to set up?缺点:设置起来可能有点复杂?
And there is this general Con, that you can whitelist only 1 IP address, so you will always have a single point of failure.还有一个普遍的缺点,你只能将 1 个 IP 地址列入白名单,所以你总会遇到单点故障。 Even NAT gateway;甚至NAT网关; it still can fail.它仍然会失败。
The GCP static IP won't help you. GCP static IP 帮不了你。 What is suggesting the other post is to reserve an IP address, so you can re-use it always.另一个帖子的意思是保留一个 IP 地址,这样你就可以一直重复使用它。 But it's not that you will have that IP address automatically added to a random node that goes down.但这并不是说您会将 IP 地址自动添加到出现故障的随机节点。 Human intervention is needed.需要人为干预。 I don't think you can have one specific node to have a static IP address, and if it goes down, the new created node will pick the same IP. That service, to my knowledge, doesn't exist.我不认为你可以让一个特定节点拥有 static IP 地址,如果它出现故障,新创建的节点将选择相同的 IP。据我所知,该服务不存在。
Now, GCP does offer a very resilient NAT gateway.现在,GCP 确实提供了一个非常有弹性的 NAT 网关。 It is managed by Google, so shouldn't fail.它由谷歌管理,所以不应该失败。 Not cheap though.虽然不便宜。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.