堆栈内存溢出
  简体   繁体   English

无法从运行在 kubernetes pod 中的应用程序进行外部 API 调用

[英]Cannot make external API calls from application running inside a kubernetes pod

 原文  2022-06-14 14:06:53       api/ kubernetes/ google-cloud-platform

问题描述

I have an application running inside in the kubernetes cluster where I am making an API call to an endpoint lets say www.example.com/api which another team maintains, but the request is timing out.我有一个在 kubernetes 集群中运行的应用程序,我正在对端点进行 API 调用,比如说另一个团队维护的www.example.com/api ,但请求超时。 I discovered that the IPs needs to be whitelisted in order to make a successful request to that endpoint and we whitelisted the cluster IP .我发现需要将 IP 列入白名单才能成功向该端点发出请求,我们将集群 IP 列入白名单。 Also at this point, we did not whitelist the node IPs that I got by running kubectl get nodes -o wide .同样在这一点上,我们没有将我通过运行kubectl get nodes -o wide的节点 IP 列入白名单。 Any pointers will be very helpful.任何指针都会非常有帮助。

1 个解决方案

解决方案1
 2  2022-06-14 18:12:01

If you whitelisted the Control plane IP, it's useless, it's not the control plane that perform the API call, but your code running in the Pods.如果您将控制平面 IP 列入白名单,那将毫无用处,执行 API 调用的不是控制平面,而是您在 Pod 中运行的代码。

And the pods run on your nodes.豆荚在您的节点上运行。 The problem is: if your cluster can scale automatically the number of Node, you don't know in advance the IPs that you will have.问题是:如果您的集群可以自动扩展 Node 的数量,那么您事先并不知道您将拥有的 IP。

(It's also for that reason that Google says not to trust the network (the IP) but the identity (the authentication that you can provide with your API Call)). (这也是出于这个原因,Google 说不要信任网络(IP),而是信任身份(您可以通过 API 调用提供的身份验证))。

Anyway, one recommended and secure way to secure and solve your issue is to create a cluster with private node (no public IPs) and to add a Cloud NAT to nat the external calls into a static (and owned) Public IP(s).无论如何,保护和解决您的问题的一种推荐且安全的方法是创建一个具有私有节点(无公共 IP)的集群,并添加一个云 NAT 以将外部调用转换为静态(和拥有的)公共 IP。

Because it's YOUR IP(s) you can turst and allow them (no reuse possible by another Google Cloud customer because it reuse an IP in the Google pool, that you used before).因为这是您的 IP,您可以委托并允许它们(其他 Google Cloud 客户无法重复使用,因为它重复使用了您之前使用的 Google 池中的 IP)。

You can find a sample here你可以在这里找到一个样本

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从pod连接到Kubernetes API - Connecting to Kubernetes API from pod 如何使用Rake进行长时间运行任务的外部API调用 - How to make external API calls with Rake for long running task 从应用程序进行WEB Api调用 - Make WEB Api calls from Application 无法拨打外部 API 电话 - Inability to Make External API calls 在哪里可以找到Kubernetes的Pod API? - Where to find Pod API of Kubernetes? 来自前端或后端的外部API调用? - External API calls from the frontend or backend? 从Drupal 7向外部API进行REST调用 - Making REST calls from Drupal 7 to external API 如何从在 kubernetes 中运行的前端(反应)向后端(烧瓶)发出 API 请求? - How to make API request to backend (flask) from frontend(react) running in kubernetes? 使用 kubernetes 客户端 corev1api 运行 `connect_get_namespaced_pod_exec` 会产生错误的请求 - Running `connect_get_namespaced_pod_exec` using kubernetes client corev1api gives bad request 使用 promise.all 在 node js 中进行外部 api 调用 - Using promise.all to make external api calls in node js
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM