AKS 连接到 Azure su.net 中的私有 .net 和 terraform
[英]AKS connected to an Azure subnet in a private vnet with terraform
问题描述
I would like to connect an AKS cluster to an internal .NET/su.net using terraform. Ideally i would like a single IP to be assigned to the service and for all pods in that service to maintain a private service IP. Something like:
我想使用 terraform 将 AKS 集群连接到内部 .NET/su.net。理想情况下,我希望将单个 IP 分配给该服务,并为该服务中的所有 Pod 维护私有服务 IP。类似于:
- .net/su.net IP cidr to be 172.16.0.0/16 .net/su.net IP cidr 为 172.16.0.0/16
- service cidr to be 172.16.1.0/24服务 cidr 为 172.16.1.0/24
- pods to be on 10.10.10.0/24 pod 位于 10.10.10.0/24
where essentially a single IP gets allocated to service cidr.基本上一个 IP 被分配给服务 cidr。 this way we can maintain separation between the pods and the outside world.这样我们就可以保持豆荚和外界之间的分离。 I would then have an ingress controller setup what would allow external access, and if the pods need to access resources on the internal .net, they should be able to be routed through the service --> su.net etc.然后我会有一个入口 controller 设置允许外部访问,如果 pod 需要访问内部 .net 上的资源,它们应该能够通过服务路由 --> su.net 等。
I can't see to get this to work.我看不出让这个工作。 What's the best way of configuring this in terraform?在 terraform 中配置它的最佳方法是什么?
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kube.netes_cluster.network_profile https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kube.netes_cluster.network_profile
to be clear i would not like each pod to receive su.net address allocated.需要明确的是,我不希望每个 pod 都收到分配的 su.net 地址。
1 个解决方案
解决方案1
1 已采纳 2022-02-15 19:15:00
The you can use kub.net as the CNI.您可以使用kub.net作为 CNI。 Kub.net uses a so called Overlay Network and is doing therefore NAT, this means AKS cluster nodes gets IPs inside your Su.net and the Pods receive an IP address from a logically different address space. Kub.net 使用所谓的覆盖网络并因此进行 NAT,这意味着 AKS 集群节点在您的 Su.net 中获取 IP,并且 Pod 从逻辑上不同的地址空间接收 IP 地址。
I honestly would recommend to user bigger.networks (at least /16) as the ones you specified:老实说,我会像您指定的那样向用户 bigger.networks(至少 /16)推荐:
NOTE: IF the .net & Su.net already exist you need to import them with Terraform to create your AKS there.注意:如果 .net 和 Su.net 已经存在,您需要使用 Terraform 导入它们以在那里创建您的 AKS。
network_profile {
network_plugin = kubenet
pod_cidr = 10.10.10.0/24
service_cidr = 172.16.1.0/24
docker_bridge_cidr = 172.18.0.1/16
dns_service_ip = 172.16.1.10
outbound_type = userDefinedRouting
}
default_node_pool {
vnet_subnet_id = azurerm_subnet.YOUR_SUBNET.id
...
}
Egress:出口:
Kube.netes will route egress traffic not from the service to the su.net as you described/want it. Kube.netes 会将出口流量路由到 su.net,而不是您所描述/想要的服务。 By default AKS will use a LoadBalancer with a PublicIP .默认情况下,AKS 将使用带有PublicIP的LoadBalancer 。 Alternatively you can specifyuserDefinedRouting as outbound type for your AKS and create own routes.或者,您可以将userDefinedRouting指定为 AKS 的出站类型并创建自己的路由。
Ingress:入口:
Ingress will be routed to the AKS via an Azure LoadBalancer.入口将通过 Azure LoadBalancer 路由到 AKS。 The Ingress controller will get a Public IP that you can also create in advance with terraform (only the PublicIP, not the LoadBalancer) and assign to the Service for the Ingress Controller. Ingress controller 将获得一个 Public IP,您也可以使用 terraform(仅 PublicIP,而不是 LoadBalancer)提前创建并分配给 Ingress Controller 的服务。
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/azure-load-balancer-resource-group: myResourceGroup # only needed if the LB is in another RG
name: ingress-nginx-controller
spec:
loadBalancerIP: <YOUR_STATIC_IP>
type: LoadBalancer
You can also create an internal LoadBalancer and assign a private IP from your su.net:您还可以创建一个内部 LoadBalancer并从您的 su.net 分配一个私有的 IP:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
name: ingress-nginx-controller-internal
spec:
loadBalancerIP: <YOUR_STATIC_PRIVATE_IP>
type: LoadBalancer
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.