代理背后的Kubernetes Docker容器 [英] Kubernetes Docker Containers behind proxy

问题描述

我们确实已在代理后面部署了Kubernetes集群，并成功配置了docker守护进程，以使用我们的代理来轮询映像，如下页所述:

we do have deployed a Kubernetes Cluster behind a proxy and successfully configured docker daemon to use our proxy for puling images as described at the following page: https://docs.docker.com/config/daemon/systemd/#httphttps-proxy

我们确实已经配置了Docker客户端来设置环境参数"https_proxy"，"http_proxy"和"no_proxy"，如下页所示:

We do have configured the Docker client to set the environemnt paramaters "https_proxy", "http_proxy" and "no_proxy" as defined at the following page: https://docs.docker.com/network/proxy/#configure-the-docker-client

Kubernetes集群设置如下:

The Kubernetes cluster setup is as follows:

aadigital1:~ # kubectl get node
NAME         STATUS    ROLES         AGE       VERSION
aadigital1   Ready     master,node   9d        v1.10.4
aadigital2   Ready     node          9d        v1.10.4
aadigital3   Ready     node          9d        v1.10.4
aadigital4   Ready     node          9d        v1.10.4
aadigital5   Ready     node          9d        v1.10.4

Docker容器手动运行-ENV参数设置正确

手动定义的docker容器的环境参数设置如下:

The environment parameters for docker containers which are manually deployed are set as defined:

aadigital1:~ # docker run -i -t odise/busybox-curl ash
/ # printenv
HTTPS_PROXY=http://ssnproxy.ssn.xxx.com:80/
no_proxy=localhost,127.0.0.0,127.0.1.1,127.0.1.1,local.home,80.250.142.64,80.250.142.65,80.250.142.66,80.250.142.69,80.250.142.70,80.250.142.71,aadigital1.aan.xxx.com,aadigita2.ssn.xxx.com,aadigital3.ssn.xxx.com,aadigital4.ssn.xxx.com,aadigita5.ssn.xxx.com,aadigital6.ssn.xxx.com
HOSTNAME=0360a9dcd20b
SHLVL=1
HOME=/root
NO_PROXY=localhost,127.0.0.0,127.0.1.1,127.0.1.1,local.home,80.250.142.64,80.250.142.65,80.250.142.66,80.250.142.69,80.250.142.70,80.250.142.71,aadigital1.aan.xxx.com,aadigita2.ssn.xxx.com,aadigital3.ssn.xxx.com,aadigital4.ssn.xxx.com,aadigita5.ssn.xxx.com,aadigital6.ssn.xxx.com
https_proxy=http://ssnproxy.ssn.xxx.com:80/
http_proxy=http://ssnproxy.ssn.xxx.com:80/
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
HTTP_PROXY=http://ssnproxy.ssn.xxx.com:80/

Kubernetes POD-未设置ENV参数

上面使用的与Kubernetes POD相同的docker镜像没有代理环境参数(同一台机器aadigital1):

The same docker image used above as a Kubernetes POD does not have the proxy environment paramaters (same machine aadigital1):

aadigital1:~ # kubectl get pod -o wide
NAME                       READY     STATUS    RESTARTS   AGE       IP          NODE
busybox-6d4df8f8b7-m62m2   1/1       Running   3          2d        10.0.0.16   aadigital3
busybox-curl               1/1       Running   0          16m       10.0.1.59   aadigital1
busybox-dns                1/1       Running   9          6h        10.0.1.53   aadigital1
aadigital1:~ # kubectl exec -it busybox-curl -- ash
/ # printenv
KUBERNETES_PORT=tcp://10.0.128.1:443
NGINX_NODEPORT_PORT=tcp://10.0.204.167:80
KUBERNETES_SERVICE_PORT=443
NGINX_NODEPORT_SERVICE_PORT=80
HOSTNAME=busybox-curl
SHLVL=1
HOME=/root
NGINX_NODEPORT_PORT_80_TCP_ADDR=10.0.204.167
NGINX_NODEPORT_PORT_80_TCP_PORT=80
NGINX_NODEPORT_PORT_80_TCP_PROTO=tcp
TERM=xterm
NGINX_NODEPORT_PORT_80_TCP=tcp://10.0.204.167:80
KUBERNETES_PORT_443_TCP_ADDR=10.0.128.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.0.128.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.0.128.1
NGINX_NODEPORT_SERVICE_HOST=10.0.204.167

我们如何配置Kubernetes/Docker，以便为POD正确设置代理环境参数?

How could we configure Kubernetes / Docker that the proxy environment parameters are set correctly for the PODs?

非常感谢您！

推荐答案

该状态的原因是带有代理的环境变量是docker客户端的功能. Docker分为两部分:docker守护进程在套接字上公开的API和docker client CLI，可以使用它们运行容器docker run ....，因此该命令将使docker守护进程API生效.可悲的是Kubernetes是另一个API客户端，这意味着Kubernetes不使用docker客户端来调度容器(Kubernetes直接使用SDK来访问API)，所以这就是为什么您看不到预期的环境变量的原因.

The reason of that state is that environment variables with proxy are feature of docker client. Docker is divided into 2 parts: API exposed on socket by docker daemon and docker client CLI using which you can run container docker run.... so that command will hit docker daemon API making 'something'. Sadly Kubernetes is another API client what means that Kubernetes doesn't use docker client to schedule container (Kubernetes access API directly using SDK) so that's why you don't see expected environment variables.

要解决该问题，我建议使用该代理值(例如)创建ConfigMap.

To work around that problem I would suggest to create ConfigMap with that proxy values e.g.

apiVersion: v1
kind: ConfigMap
metadata:
  name: your-config-map-name
  labels:
    app: your-best-app
data:
  HTTPS_PROXY: http://ssnproxy.ssn.xxx.com:80/
  HTTP_PROXY: http://ssnproxy.ssn.xxx.com:80/

并使用它们将它们作为环境变量挂载到部署中

and mount them to deployment as environment variables using

envFrom:
  - configMapRef:
      name: your-config-map-name

这篇关于代理背后的Kubernetes Docker容器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！