Kubernetes通过IP白名单将呼叫传给外部端点 [英] Kubernetes outbound calls to an external endpoint with IP whitelisting
问题描述
我们在Google Cloud的Google Kubernetes Engine上使用Kubernetes.我们的系统根据请求动态生成实例,这些实例调用外部Web服务.外部服务生成图像,每个实例的带宽使用量不小.
We are using Kubernetes on google cloud's Google Kubernetes Engine. Our system dynamically generates instances based on request and these instances call an external web service. The external service generates images and the bandwidth usage per instance is not small.
此外部Web服务已配置了IP白名单.
This external web service has an IP whitelisting configured.
有什么办法可以将所有从选定的pod(它们组合在一个节点池中)到外部服务的请求集中到一个IP中?
Is there any way that I can funnel all the requests going from the selected pods (they are grouped within a node pool) to the external service with a single IP?
推荐答案
答案是Yes,实际上有几种方法可以实现这一目标.我将回答一个简单的方法来完成此任务.通过代理服务器建立隧道.
The answer is Yes, there are actually several ways one can achieve this. I will answer a simple way to get this done. By tunnelling through a proxy server.
也可以将外部ip分配给您的所有节点,并允许它们从网络服务中进行,但是许多工程师不愿意这样做,因为没有人出于一百万个安全原因而希望将这些节点暴露给外部世界.
It could also be done assigning external ips to all your nodes and allowing them from webservice, but many engineers don't prefer doing it because no one wants to expose the nodes to the external world for a million security reasons.
在同一群集中添加一个单独的非常小的纳米VM,然后安装HAProxy或Nginx或您喜欢的代理.或将代理安装在您已经拥有的实例之一上,但请确保已将其附加外部ip,并且该实例应位于群集中,以减少任何延迟问题.
Add a separate very small may be nano VM within the same cluster and install a HAProxy or Nginx or your favourite proxy. Or install the proxy on one of the instances you already have but make sure it has external ip attached to it, and it should be inside your cluster in order to reduce any latency issues.
现在将URL绑定到代理中,以接受与特定端口的连接,并将其路由到具有外部Web服务的实例.这是HAProxy代码的示例.
Now bind the url in the proxy to accept connection to a particular port and route them to your instance that has your external webservice. This is an example of HAProxy code how it would look like.
listen port_2020
bind :2020
mode tcp
server external-web-service externalwebservice.mycompany.com:443 check
完成此设置后.假设您的k8s在10.0.1.0/24运行主节点,在10.0.2.0/24运行节点.并将此附加代理服务添加到10.10.1.101/32的某个位置,并在同一VPC中使用52.*.*.*的外部ip.现在,您要做的就是在10.10.1.101上打开通信以接受从10.0.2.0/24到port 2020的通信.
After the completion of this setup. Let's assume your k8s is running masters at 10.0.1.0/24 and nodes at 10.0.2.0/24. And added this addition proxy service somewhere at 10.10.1.101/32 with an external ip of 52.*.*.* with in the same VPC. Now all you have to do is open communication on 10.10.1.101 to accept communications to port 2020 from 10.0.2.0/24.
现在,您的Pod必须保持轮询10.10.1.101:2020/api/health/check而不是直接进行外部Web服务.
Now your pods have to keep polling 10.10.1.101:2020/api/health/check instead of external webservice directly.
现在您可以在网络服务虚拟机上仅列出代理虚拟机ip 52.*.*.*,而不会出现任何问题.
And now you can waitlist just the proxy vm ip 52.*.*.* on your webservice vm without any issues.
这只是如何完成此操作的一个示例.但是有几种方法可以做到这一点.也有很多使用Sidecar进行此操作的方法.
This is just an example of how it could be done. But there are several approaches to get this done. There are many advanced ways of doing this using a sidecar as well.
希望这会有所帮助.
这篇关于Kubernetes通过IP白名单将呼叫传给外部端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
