如何使用基于目标组“IP”的 [AWS] 设置 Kubernetes NLB 负载均衡器?
[英]How to setup Kubernetes NLB Load Balancer with target group "IP" based [AWS]?
问题描述
Currently, I'm exposing a k8s service using network load balancer.
目前,我正在使用网络负载均衡器公开 k8s 服务。 It creates a network load balancer and sets the target group as instance based and everything works fine.它创建了一个网络负载均衡器并将目标组设置为基于实例,一切正常。 As we know port in the nodes is always in the range of 30000 - 32767.正如我们所知,节点中的端口始终在 30000 - 32767 的范围内。
There is a difference in the different target groups.不同的目标群体存在差异。 Instance based target group is used to preserve the clientIP, where in IP based doesn't preserve the client IP.基于实例的目标组用于保留客户端 IP,其中基于 IP 的目标组不保留客户端 IP。
Now there is a problem with the security group, I want to restrict the node ports only be accessible by the CIDR of load balancer.现在安全组有问题,我想限制节点端口只能由负载均衡器的CIDR访问。 Since it is an instance based target group, inbound IP is always the client IP.由于它是基于实例的目标组,因此入站 IP 始终是客户端 IP。 So it is difficult to restrict the access only for certain IP's.因此很难限制仅对某些 IP 的访问。
So my plan is to switch the target group to "IP" based, so that I can restrict the access to only for CIDR of load balancer.所以我的计划是将目标组切换到基于“IP”的组,这样我就可以限制对负载均衡器的 CIDR 的访问。
Is there any other way to create the NLB load balancer with the IP based target type?有没有其他方法可以使用基于 IP 的目标类型创建 NLB 负载平衡器? Could you please help me with some suggestions?你能帮我一些建议吗?
apiVersion: v1
kind: Service
metadata:
name: nginx-router
annotations:
service.beta.kubernetes.io/do-loadbalancer-protocol: "http"
service.beta.kubernetes.io/do-loadbalancer-healthcheck-path: "/healthz"
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: [tes]
# service.beta.kubernetes.io/healthcheck-path: /healthz
spec:
selector:
app: nginx-router
externalTrafficPolicy: Local
ports:
- port: 80
targetPort: 80
protocol : TCP
name : http
- port : 443
targetPort: 443
protocol : TCP
name : https
type: LoadBalancer
1 个解决方案
解决方案1
0 2020-10-08 16:04:22
I ask myself if you really need to solve this through the Network Load Balancer or if a solution in Kubernetes would be preferable.我问自己是否真的需要通过网络负载均衡器来解决这个问题,或者 Kubernetes 中的解决方案是否更可取。
The easiest way to remove a NodePort from the cluster is to actually not define any Services in Kubernetes of the type NodePort.从集群中删除 NodePort 的最简单方法是实际上不在 Kubernetes 中定义任何 NodePort 类型的服务。 If some already exist you can easily change them to type ClusterIP and the NodePort should be removed.如果某些已经存在,您可以轻松地将它们更改为类型 ClusterIP,并且应该删除 NodePort。
Since you wish to prevent any access to NodePorts you can consider using a ResourceQuota to prevent the creation any services of type NodePort at all.由于您希望阻止对 NodePort 的任何访问,您可以考虑使用 ResourceQuota 来阻止创建任何 NodePort 类型的服务。 This way the cluster is telling the user that his services won't work instead of just preventing the traffic from reaching the application and most likely resulting in a hard to understand timeout if you don't know the specifics of the load balancer configuration.通过这种方式,集群告诉用户他的服务将无法工作,而不仅仅是阻止流量到达应用程序,并且如果您不知道负载均衡器配置的细节,很可能会导致难以理解的超时。 (See here for reference: https://kubernetes.io/docs/concepts/policy/resource-quotas/#object-count-quota ) (参见此处参考: https : //kubernetes.io/docs/concepts/policy/resource-quotas/#object-count-quota )
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.