GKE:具有推送订阅者的Pod之间的Pubsub消息 [英] GKE: Pubsub messages between pods with push subscribers

问题描述

我正在使用具有多个Pod的GKE部署，我需要在Pod之间发送和接收消息.我想使用 pubsub推送订阅者.

I am using GKE deployment with multiple pods and I need to send and receive messages between pods. I want to use pubsub push subscribers.

我发现要推送，我需要为订户Pod配置https访问.

I found for push I need to configure https access for subscribers pods.

为了接收推送消息，您需要一个公共可访问的HTTPS服务器来处理POST请求.服务器必须出示由证书颁发机构签名并可以通过DNS路由的有效SSL证书.您还需要验证您是否拥有该域(或对端点具有同等的访问权限).

In order to receive push messages, you need a publicly accessible HTTPS server to handle POST requests. The server must present a valid SSL certificate signed by a certificate authority and routable by DNS. You also need to validate that you own the domain (or have equivalent access to the endpoint).

这真的是必需的还是有一些解决方法.这是否意味着我应该为每个订阅者窗格都提供Ingress，即使是内部通信也是如此?

Is this really required or is there some workaround. Does it mean I should expose each subscriber pod with Ingress, even for internal communication?

推荐答案

如果只需要将Pod暴露在某个端口上(用于Pod与Pod的通信)，则只需要通过面向目标的服务来暴露每个Pod该端口(在您的情况下为端口443).

If you only need pods to be exposed on a certain port (for pod to pod communication) then you would just need to expose each pod via a service that targets that port (in your case port 443).

例如，通过使用以下YAML，您可以创建以pod上的端口为目标的服务:

For example, by using the following YAML you can create a service which targets a port on a pod(s):

apiVersion: v1
kind: Service
metadata:
  name: my-pod
  labels:
    run: my--pod
spec:
  ports:
  - port: 443
    targetPort: 443
    protocol: TCP
  selector:
    run: my-pod

上面将创建一个服务，该服务的目标是带有run: my-pod标签的任何Pod上的TCP端口443.在文件中，targetPort是容器(在容器中)接受其通信的端口，而port是抽象的服务端口，可以是其他容器用于访问服务的任何端口.

The above would create a Service which targets TCP port 443 on any Pod with the run: my-pod label. In the file, targetPort is the port the container (within the pod) accepts traffic on, and port is the abstracted Service port, which can be any port other pods use to access the Service).

但是，如果您需要Pod能够与Pub-Sub API进行通信，那么就需要能够与外部进行通信，因此建议您使用Ingress.

However, if you need the pods to be able to communicate with the Pub-Sub API,then the ability to communicate externally is required, so yes ingress would be recommended.

在评论我不知道Google为什么需要在某些内部请求上使用公共HTTPS访问Kubernetes"的评论中回答您的问题-原因是它不是内部请求. Pub-Sub API位于您的项目/网络之外，因此数据可以跨其他网络传输.为了安全起见，需要对其进行加密-这就是使用HTTPS的原因.

In response to your question in the comment "I wonder why Google needs to access Kubernetes with public HTTPS instead on some internal request"- The reason is it isn't an internal request. The Pub-Sub API sits outside of your project/network, so data travels across other networks. For it to be secure, It needs to be encrypted- this is the reason HTTPS is used.

这篇关于GKE:具有推送订阅者的Pod之间的Pubsub消息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！