如何通过https访问kubernetes服务? [英] How to access a kubernetes service through https?

问题描述

这是我的集群信息

kubectl cluster-info
Kubernetes master is running at https://129.146.10.66:6443
Heapster is running at https://129.146.10.66:6443/api/v1/proxy/namespaces/kube-system/services/heapster
KubeDNS is running at https://129.146.10.66:6443/api/v1/proxy/namespaces/kube-system/services/kube-dns

所以，我有一个作为NodePort运行的服务(mysqlbrokerservice)，配置看起来像这样

So, I have a service(mysqlbrokerservice) running as NodePort and the configuration looks like this

kubectl describe svc mysqlbrokerservice
Name:                        mysqlbrokerservice
Namespace:                mysqlbroker
Labels:                        <none>
Annotations:                <none>
Selector:                app=mysqlbroker
Type:                        NodePort
IP:                        10.99.194.191
Port:                        mysqlbroker        8080/TCP
NodePort:                mysqlbroker        30000/TCP
Endpoints:                10.244.1.198:8080
Session Affinity:        None
Events:                        <none>

我可以通过pod运行的节点的公共IP来访问服务，如下所示 http: //129.146.34.181:30000/v2/目录.

I can access the service through the public IP of the node where the pod is running like this http://129.146.34.181:30000/v2/catalog.

然后，我想查看是否可以通过https访问该服务.我按照的指示进行操作https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls

Then what I wanted to see if I can access the service through https. I followed the direction in https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls

我遵循了示例，并使用curl来获取资源. 这是命令. 129.146.10.66:6443是我的主控IP.

I followed the example and used curl to get the resource. Here is the command. 129.146.10.66:6443 is my master ip.

curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X GET  https://129.146.10.66:6443/api/v1/namespaces/mysqlbroker/services/mysqlbrokerservice:8080/proxy/v2/catalog --header "Authorization: Bearer $TOKEN" --insecure
HTTP/1.0 200 Connection established

curl只是坐在那里而没有任何回应.然后，我查看了我的pod日志，它没有显示收到任何请求.

curl just sits there with no response. I then looked at my pod logs and it does not show that any request received.

有人可以在这里解释我做错了什么吗?如果我希望通过https公开服务，什么是理想的解决方案?

Can somebody explain what I am doing wrong here? What's the ideal solution if I want a service to be exposed through https?

推荐答案

如果单击kubectl cluster-info提供的任何URL，您将看到浏览器提示您接受不安全的TLS连接.

If you click any of the URLs provided by kubectl cluster-info you will see that your browser prompts you to accept an insecure TLS connection.

要使HTTPs用于此特定地址，您将需要购买为主机名颁发的TLS证书(在这种情况下，是IP地址，而您不能购买IP地址的证书).将Kubernetes集群的根证书添加到计算机的受信任根的另一种选择，但这不会使其在其他计算机上工作.

For HTTPs to work for this particular address you will need to buy a TLS certificate issued for the hostname (in this case, the IP address and you can't buy certs for IP addresses). The other option to add Kubernetes cluster's Root Certificate to your computer's Trusted Roots, but that wouldn't make it work on other computers.

所以我假设您只是想使运行在Kubernetes上的应用程序可以通过HTTPs对外开放:

So I assume you're just trying to make an application running on Kubernetes accessible to the outside world, via HTTPs:

为此，我建议实际上购买域名(或重新使用子域)，为该主机名购买SSL/TLS证书，并使用Ingress配置带有HTTP终止的负载均衡器. https://kubernetes.io/docs/concepts/services-networking/ingress /#tls (如果您使用的是GKE，则是Google Load Balancer，否则它将配置本地nginx实例来执行此任务.)

For that, I recommend actually buying a domain name (or reusing a subdomain), buying a SSL/TLS certificate for that host name, and using an Ingress to configure a load balancer with HTTPs termination. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls (If you're on GKE, Google Load Balancer, otherwise it would configure a local nginx instance to do this task.)

这篇关于如何通过https访问kubernetes服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！