如何在外部服务器上将整个 kubernetes 集群列入白名单
[英]How to whitelist entire kubernetes cluster on external server
问题描述
I have a kubernetes cluster with several nodes, and it is connecting to a SQL server outside of the cluster.
我有一个带有多个节点的 kubernetes 集群,它连接到集群外的 SQL 服务器。 How can I whitelist these (potentially changing) nodes on the SQL server firewall, without having to whitelist each Node's external IP independently?如何在 SQL 服务器防火墙上将这些(可能更改的)节点列入白名单,而不必单独将每个节点的外部 IP 列入白名单?
Is there a clean solution for this?有没有一个干净的解决方案? Perhaps some intra-cluster tooling to route all requests through a single node?也许一些集群内工具可以通过单个节点路由所有请求?
1 个解决方案
解决方案1
0 2022-01-17 07:14:20
You would have to use a NAT.您将不得不使用 NAT。 It is possible, but fiddly (we do this weekly in order to connect to a hosted service to make backups, and the hosted service only whitelists a specific IP.)这是可能的,但很繁琐(我们每周这样做是为了连接到托管服务以进行备份,并且托管服务仅将特定的 IP 列入白名单。)
We used Terraform for spinning up a cluster, then deploying our backup job to it so it could connect to the hosted service, and since it was going via the NAT IP, the remote host would allow the connection.我们使用 Terraform 来启动集群,然后将我们的备份作业部署到它,以便它可以连接到托管服务,并且由于它通过 NAT IP 进行,远程主机将允许连接。
We used Cloud NAT via Terraform (as we were on GKE): https://registry.terraform.io/modules/terraform-google-modules/cloud-nat/google/latest我们通过 Terraform(就像我们在 GKE 上一样)使用 Cloud NAT: https://registry.terraform.io/modules/terraform-google-modules
Though there are surely similar options for whichever Kubernetes provider you are using.尽管您使用的 Kubernetes 提供商肯定有类似的选项。 If you are running bare-metal, you'll need to do the routing yourself.如果您正在运行裸机,则需要自己进行路由。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.