Kubernetes容器与单独VPC中的RDS实例的连接 [英] Kubernetes container connection to RDS instance in separate VPC

问题描述

我在自己的VPC内的Amazon EC2中运行着一个Kubernetes集群，我正在尝试使Dockerized服务连接到RDS数据库(位于不同的VPC中).我已经弄清了对等和路由表条目，因此可以从小仆机器上做到这一点:

I have a Kubernetes cluster running in Amazon EC2 inside its own VPC, and I'm trying to get Dockerized services to connect to an RDS database (which is in a different VPC). I've figured out the peering and routing table entries so I can do this from the minion machines:

ubuntu@minion1:~$ psql -h <rds-instance-name>
Password:

所以一切正常.问题是，当我尝试从Kubernetes管理的容器内部建立连接时，出现超时:

So that's all working. The problem is that when I try to make that connection from inside a Kubernetes-managed container, I get a timeout:

ubuntu@pod-1234:~$ psql -h <rds-instance-name>
…

要连接奴才，我配置了对等连接，从Kubernetes VPC设置路由表，以便10.0.0.0/16(RDS VPC的CIDR)映射到对等连接，并更新了RDS实例的安全性.组，以允许从地址范围172.20.0.0/16(Kubernetes VPC的CIDR)到端口5432的流量.

To get the minion to connect, I configured a peering connection, set up the routing tables from the Kubernetes VPC so that 10.0.0.0/16 (the CIDR for the RDS VPC) maps to the peering connection, and updated the RDS instance's security group to allow traffic to port 5432 from the address range 172.20.0.0/16 (the CIDR for the Kubernetes VPC).

推荐答案

在Kelsey Hightower的帮助下，我解决了这个问题.事实证明，这是一个Docker路由问题.我已经在博客文章，但最重要的是要像这样更改小兵的路由表:

With the help of Kelsey Hightower, I solved the problem. It turns out it was a Docker routing issue. I've written up the details in a blog post, but the bottom line is to alter the minions' routing table like so:

$ sudo iptables -t nat -I POSTROUTING -d <RDS-IP-ADDRESS>/32 -o eth0 -j MASQUERADE

这篇关于Kubernetes容器与单独VPC中的RDS实例的连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！