如何使用 Kubernetes pod 作为特定 IP 的网关?
[英]How to use a Kubernetes pod as a gateway to specific IPs?
问题描述
I've got a database running in a private network (say IP 1.2.3.4).
我有一个在专用网络中运行的数据库(比如 IP 1.2.3.4)。
In my own computer, I can do these steps in order to access the database:在我自己的计算机上,我可以执行以下步骤来访问数据库:
- Start a Docker container using something like
docker run --privileged --sysctl net.ipv4.ip_forward=1...使用类似docker run --privileged --sysctl net.ipv4.ip_forward=1... - Get the container IP获取容器 IP
- Add a routing rule, such as
ip route add 1.2.3.4/32 via $container_ip添加路由规则,如ip route add 1.2.3.4/32 via $container_ip
And then I'm able to connect to the database as usual.然后我就可以像往常一样连接到数据库了。
I wonder if there's a way to route traffic through a specific pod in Kubernetes for certain IPs in order to achieve the same results.我想知道是否有办法通过 Kubernetes 中的特定 pod 为某些 IP 路由流量以达到相同的结果。 We use GKE, by the way, I don't know if this helps in any way.顺便说一句,我们使用 GKE,我不知道这是否有任何帮助。
PS: I'm aware of the sidecar pattern, but I don't think this would be ideal for our use case, as our jobs are short-lived tasks, and we are not able to run multiple "gateway" containers at the same time. PS:我知道 sidecar 模式,但我认为这对于我们的用例来说并不理想,因为我们的工作是短期任务,我们无法同时运行多个“网关”容器时间。
4 个解决方案
解决方案1
0 2022-01-04 03:18:00
I wonder if there's a way to route traffic through a specific pod in Kubernetes for certain IPs in order to achieve the same results. We use GKE, by the way, I don't know if this helps in any way.
You can start a GKE in a fully private network like this , then you run application that needs to be fully private in this cluster.您可以像这样在完全私有的网络中启动 GKE,然后在该集群中运行需要完全私有的应用程序。 Access to this cluster is only possible when explicitly granted;只有在明确授予时才能访问此集群; just like those commands you used in your question, but of course now you will use the cloud platform (eg. service control, bastion etc etc), there is no need to "route traffic through a specific pod in Kubernetes for certain IPs".就像您在问题中使用的那些命令一样,但当然现在您将使用云平台(例如服务控制、堡垒等),无需“通过 Kubernetes 中的特定 pod 为某些 IP 路由流量”。 But if you have to run everything in a cluster, then likely a fully private cluster will not work for you, in this case you can the use network policy to control access to your database pod.但是如果你必须在一个集群中运行所有东西,那么一个完全私有的集群可能不适合你,在这种情况下你可以使用网络策略来控制对你的数据库 pod 的访问。
解决方案2
0 2022-01-04 07:35:31
GKE doesn't support the use case you mentionned @gabriel Milan. GKE 不支持您提到@gabriel Milan 的用例。
What's your requirement?你有什么要求? Do you need to know which IP the pod will use to reach the database so you can open a firewall for it?您是否需要知道 pod 将使用哪个 IP 来访问数据库,以便为它打开防火墙?
解决方案3
0 2022-01-04 15:06:07
Replying here as the comments have limited character count在这里回复,因为评论的字符数有限
Unfortunately GKE doesn't support that use case.不幸的是,GKE 不支持该用例。
However You have couple of options:但是,您有几个选择:
- Option#1: Create a dedicated nodepool with couple of nodes, force the pods to be scheduled on these nodes using taints and tolerations [1].选项#1:创建一个包含几个节点的专用节点池,强制使用 taints 和 tolerations 在这些节点上调度 pod [1]。 Use the IP addresses of these nodes on your firewall在防火墙上使用这些节点的 IP 地址
- Option#2: Install a Service Mesh like Istio, Use the Egress gateway[2] to route traffic toward your onPrem system and force the gateways to be deployed on a specific set of nodes so you have a know IP address.选项#2:安装像 Istio 这样的服务网格,使用 Egress gateway[2] 将流量路由到您的 onPrem 系统,并强制将网关部署在一组特定的节点上,这样您就知道 IP 地址。 This quite complicated as a solution这作为一个解决方案相当复杂
[1] https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ [1] https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
[2] https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/ [2] https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/
解决方案4
0 2022-01-04 15:29:57
i would suggest using or creating the NAT gateway instead of using the container as a gateway option.我建议使用或创建NAT网关,而不是使用容器作为网关选项。
Using container or Istio is a good idea however it has its own limitations hard to implement, management and resources usage of that gateway containers.使用容器或 Istio 是一个好主意,但是它有其自身的限制,难以实现、管理和使用网关容器的资源。
Ultimately you want Single IP for your K8s cluster, instead request going out instead of Node's IP on which POD is scheduled.最终,您希望 K8s 集群使用单个 IP ,而不是请求外出而不是调度POD的节点的 IP 。
Here terraform of GKE NAT gateway which you can use it.这里你可以使用GKE NAT网关的terraform 。
https://registry.terraform.io/modules/GoogleCloudPlatform/nat-gateway/google/latest/examples/gke-nat-gateway https://registry.terraform.io/modules/GoogleCloudPlatform/nat-gateway/google/latest/examples/gke-nat-gateway
NAT gateway will forward all PODs traffic from a single VM and you can use that IP in the database to whitelist also. NAT 网关将转发来自单个 VM的所有 POD 流量,您也可以将数据库中的 IP 用于白名单。
After implementation, there will be single Egress point in your cluster.实施后,您的集群中将有一个Egress点。
GitHub Repo link - Click to deploy available GCP magic;) GitHub 回购链接- 单击以部署可用的 GCP 魔法;)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.