简体繁体 English

Kubernetes 中的服务到服务通信

[英]Service-to-Service Communication in Kubernetes

原文 2021-01-29 07:38:26 8 1 kubernetes/ load-balancing/ nginx-ingress/ amazon-eks/ aws-load-balancer

I have deployed my Kubernetes cluster on EKS.我已经在 EKS 上部署了我的 Kubernetes 集群。 I have an ingress-nginx which is exposed via load balancer to route traffic to different services.我有一个通过负载均衡器公开的 ingress-nginx，用于将流量路由到不同的服务。 In ingress-nginx first request goes to auth service for authentication and if it is a valid request then I allow it move forward.在 ingress-nginx 中，第一个请求转到 auth 服务进行身份验证，如果它是有效请求，那么我允许它继续前进。 Let say the request is in Service 1 and now from there, it wants to communicate to Service 2. So if I somehow want my request to go directly to ingress not via load balancer and then from ingress to service 2.假设请求在服务 1 中，现在从那里，它想与服务 2 通信。因此，如果我想以某种方式将我对 go 的请求直接发送到入口，而不是通过负载均衡器，然后从入口到服务 2。

Is is possible to do so?有可能这样做吗？
Will it help in improving performance as I bypassed load balancer?当我绕过负载均衡器时，它是否有助于提高性能？
As the request is not moving through load balancer so load balancing won't take place, is it a serious concern?由于请求没有通过负载均衡器，所以负载均衡不会发生，这是一个严重的问题吗？

1 个解决方案

1/ Is it possible: short answer, no. 1/ 是否可能：简短的回答，不。

There are edge cases, that would require for someone to create another Ingress object exposing Service2 in the first place.在某些极端情况下，需要有人首先创建另一个 Ingress object 来暴露 Service2。 Then, you could trick the Ingress into routing you to some service that might not otherwise be reachable (if the DNS doesn't exist, some VIP was not yet exposed, ...)然后，您可以欺骗 Ingress 将您路由到某些可能无法访问的服务（如果 DNS 不存在，则某些 VIP 尚未公开，...）

There's no real issue with external clients bypassing the ELB, as long as they can not join all ports on your nodes, just the ones bound by your ingress controller.绕过 ELB 的外部客户端没有真正的问题，只要它们不能加入您节点上的所有端口，只有那些由您的入口 controller 绑定的端口。

2/ Bypassing the loadbalancer: won't change much in terms of performance. 2/绕过负载均衡器：在性能方面不会有太大变化。

If we're talking about a TCP loadbalancer, getting it away would help track real client IPs, though.但是，如果我们谈论的是 TCP 负载均衡器，那么将其移除将有助于跟踪真实的客户端 IP。 Figuring out how to change it for an HTTP loadbalancer may be better -- though not always easy.弄清楚如何为 HTTP 负载均衡器更改它可能会更好——尽管并不总是那么容易。

3/ Removing the LoadBalancer: if you have several nodes hosting replicas of your incress controller, then you would still be able to do some kind of DNS-based loadbalancing. 3/ 移除 LoadBalancer：如果您有多个节点托管您的增量 controller 的副本，那么您仍然可以进行某种基于 DNS 的负载平衡。 Though for sure, it's not the same as having a real LB.虽然可以肯定的是，这与拥有真正的 LB 不同。

In AWS, you could find a middle ground setting up health-check based Route53 Records: set one for each node hosting an ingress controller, create another regrouping all healthy ingress nodes, then change your existing ingress FQDN records so they'ld all point to your new route53 name.在 AWS 中，您可以找到一个中间立场，设置基于健康检查的 Route53 记录：为每个托管入口 controller 的节点设置一个，创建另一个重新组合所有健康入口节点，然后更改现有入口 FQDN 记录，以便它们都指向您的新 route53 名称。 You'ld be able to do TCP/HTTP checks against EC2 instances IPs, that's usually good enough.您将能够对 EC2 实例 IP 进行 TCP/HTTP 检查，这通常已经足够了。 But again: DNS loadbalancing can suffer from outdated browser caches, some ISP not refreshing zones, ... LB is the real thing.但同样：DNS 负载平衡可能会受到过时的浏览器缓存、一些 ISP 不刷新区域的影响，...... LB 是真实的。