Google Cloud Build部署到GKE私有集群 [英] Google Cloud Build deploy to GKE Private Cluster
问题描述
我正在运行带有"private-cluster"选项的Google Kubernetes Engine. 我还定义了授权主网络"以能够远程访问环境-这很好. 现在,我想使用Google Cloud Build设置某种CI/CD管道- 成功构建新的docker映像后,该新映像应自动部署到GKE. 当我第一次触发新管道时,部署到GKE失败-错误消息是:无法连接到服务器:拨打tcp xxx.xxx.xxx.xxx:443:I/O超时". 由于我怀疑连接主网络"是连接超时的根本原因,因此我向允许的网络添加了0.0.0.0/0,然后再次启动了Cloud Build工作-这次一切顺利,之后创建了docker映像,并将其部署到GKE.好.
I'm running a Google Kubernetes Engine with the "private-cluster" option. I've also defined "authorized Master Network" to be able to remotely access the environment - this works just fine. Now I want to setup some kind of CI/CD pipeline using Google Cloud Build - after successfully building a new docker image, this new image should be automatically deployed to GKE. When I first fired off the new pipeline, the deployment to GKE failed - the error message was something like: "Unable to connect to the server: dial tcp xxx.xxx.xxx.xxx:443: i/o timeout". As I had the "authorized master networks" option under suspicion for being the root cause for the connection timeout, I've added 0.0.0.0/0 to the allowed networks and started the Cloud Build job again - this time everything went well and after the docker image was created it was deployed to GKE. Good.
唯一的问题是我真的不想让整个Internet都能够访问我的Kubernetes主服务器-这是一个坏主意,不是吗?
The only problem that remains is that I don't really want to allow the whole Internet being able to access my Kubernetes master - that's a bad idea, isn't it?
是否存在更优雅的解决方案来通过使用允许的主网络来缩小访问范围,并且还能够通过云构建进行部署?
Are there more elegant solutions to narrow down access by using allowed master networks and also being able to deploy via cloud build?
推荐答案
当前无法将Cloud Build计算机添加到VPC.同样,Cloud Build不会宣布构建计算机的IP范围.因此,如果没有在该VPC上的GCE上创建"ssh堡垒实例"或代理实例",您今天就无法这样做.
It's currently not possible to add Cloud Build machines to a VPC. Similarly, Cloud Build does not announce IP ranges of the build machines. So you can't do this today without creating a "ssh bastion instance" or a "proxy instance" on GCE within that VPC.
我怀疑这会很快改变. GCB在GKE私有集群之前就已经存在,并且私有集群仍然是beta功能.
I suspect this would change soon. GCB existed before GKE private clusters and private clusters are still a beta feature.
这篇关于Google Cloud Build部署到GKE私有集群的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
