部署在私有 su.net 中时如何访问 eks 集群?
[英]How is eks cluster accessible when deployed in a private subnet?
问题描述
When deploying an EKS cluster, the best practice is to deploy the managed control plane in private su.nets.
部署 EKS 集群时,最佳做法是在私有 su.net 中部署托管控制平面。 In terms of accessibility, the defalt option is public cluster, meaning that I can access it locally with kubectl tool and updated kubeconfig.在可访问性方面,默认选项是public集群,这意味着我可以使用kubectl工具和更新的 kubeconfig 在本地访问它。
How am I able to access the cluster if it is deployed in private su.nets with no inbound traffic?如果集群部署在没有入站流量的私有 su.net 中,我如何能够访问该集群? As per the documentation , AWS creates a managed endpoint that can access the cluster from within the AWS.network.根据文档,AWS 创建了一个托管端点,可以从 AWS.network 中访问集群。
What is the architecture behind it, how does it internally work?它背后的架构是什么,它在内部是如何工作的? Is there some kind of a proxy (agent) being deployed (found aws-node )?是否部署了某种代理(代理)(找到aws-node )?
- deployed my own EKS cluster部署了我自己的 EKS 集群
- read the documentation阅读文档
- tried to scrape for additional info试图抓取更多信息
1 个解决方案
解决方案1
0 2023-01-26 08:33:20
The type of EKS.networking you're setting up is configured to restrict access to the API server with a private endpoint that's only accessible from within the VPC.您正在设置的 EKS.networking 类型配置为限制对 API 服务器的访问,该服务器具有只能从 VPC 内部访问的专用端点。 So any Kube.netes API requests (kubectl commands) have to originate from within the VPC (public or private su.nets).因此,任何 Kube.netes API 请求(kubectl 命令)都必须来自 VPC(公共或私有 su.net)。 If you are doing this as a personal project, then you can do the following:如果您将此作为个人项目进行,则可以执行以下操作:
- Create abastion host in the public su.net of your VPC with a key pair.使用密钥对在 VPC 的公共 su.net 中创建堡垒主机。 Launch this host with user data that installs kubectl and any other CLI tools you need.使用安装 kubectl 和您需要的任何其他 CLI 工具的用户数据启动此主机。
- Access the bastion host via SSH from your workstation to ensure it works as expected.从您的工作站通过 SSH 访问堡垒主机,以确保它按预期工作。
- Check that the security group attached to your EKS control plane can receive 443 traffic from the public su.net.检查附加到您的 EKS 控制平面的安全组是否可以从公共 su.net 接收 443 流量。 You can create a rule for this if one doesn't exist.如果规则不存在,您可以为此创建一个规则。 This will enable communication between the bastion host in the public su.net and the cluster in the private su.nets.这将启用公共 su.net 中的堡垒主机和私有 su.net 中的集群之间的通信。
- Access the bastion host and then use it to communicate with the cluster just as you would with your personal machine.访问堡垒主机,然后使用它与集群通信,就像与您的个人计算机一样。 For example, run
aws eks --region <region> update-kubeconfig --name <name-of-your-cluster>to update your kubeconfig and then proceed to run kubectl commands.例如,运行aws eks --region <region> update-kubeconfig --name <name-of-your-cluster>更新您的 kubeconfig,然后继续运行 kubectl 命令。
Sidenote: If this is for an enterprise project, you can also look into using AWS VPN or DirectConnect to access the VPC.旁注:如果这是针对企业项目,您还可以考虑使用 AWS VPN 或 DirectConnect 访问 VPC。
Other helpful resources:其他有用的资源:
- https://aws.amazon.com/blogs/containers/de-mystifying-cluster.networking-for-amazon-eks-worker-nodes/ https://aws.amazon.com/blogs/containers/de-mystifying-cluster.networking-for-amazon-eks-worker-nodes/
- https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html#private-access https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html#private-access
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.