如何通过来自外部IP的ClusterIP服务到达的流量来保护源IP? [英] How to preserve source IP from traffic arriving on a ClusterIP service with an external IP?
问题描述
我目前有一个看起来像这样的服务:
I currently have a service that looks like this:
apiVersion: v1
kind: Service
metadata:
name: httpd
spec:
ports:
- port: 80
targetPort: 80
name: http
protocol: TCP
- port: 443
targetPort: 443
name: https
protocol: TCP
selector:
app: httpd
externalIPs:
- 10.128.0.2 # VM's internal IP
我可以从绑定到VM的外部IP上很好地接收流量,但是所有请求都由带有源IP 10.104.0.1的HTTP接收,该IP最肯定是内部IP,即使我连接到VM的IP群集外部的外部IP.
I can receive traffic fine from the external IP bound to the VM, but all of the requests are received by the HTTP with the source IP 10.104.0.1, which is most definitely an internal IP – even when I connect to the VM's external IP from outside the cluster.
如何在不设置负载均衡器或入口的情况下获取请求的真实源IP?
How can I get the real source IP for the request without having to set up a load balancer or ingress?
推荐答案
如果只有一个吊舱,则可以使用hostNetwork: true来实现:
If you only have exactly one pod, you can use hostNetwork: true to achieve this:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: caddy
spec:
replicas: 1
template:
metadata:
labels:
app: caddy
spec:
hostNetwork: true # <---------
containers:
- name: caddy
image: your_image
env:
- name: STATIC_BACKEND # example env in my custom image
value: $(STATIC_SERVICE_HOST):80
请注意,这样做您的Pod将继承主机的DNS解析器,而不继承Kubernetes.这意味着您不能再通过DNS名称解析群集服务.例如,在上面的示例中,您无法通过 http://static 访问static服务.您仍然可以通过群集IP访问服务,这些群集IP由环境注入变量.
Note that by doing this your pod will inherit the host's DNS resolver and not Kubernetes'. That means you can no longer resolve cluster services by DNS name. For example, in the example above you cannot access the static service at http://static. You still can access services by their cluster IP, which are injected by environment variables.
这篇关于如何通过来自外部IP的ClusterIP服务到达的流量来保护源IP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
