公开一个DaemonSet服务以供同一节点上的Pod使用 [英] Exposing a DaemonSet service for consumption by pods on the same node

问题描述

我正在尝试在Kubernetes集群中安装服务网格，为此，我想完成以下任务:

I'm trying to install a service mesh in my Kubernetes cluster, and for that I want to accomplish the following:

• 服务网格Pod作为守护程序集运行，每个节点上都有一个副本.
• 不能从集群外部直接访问服务网格.
• 应用程序容器将同一节点上的服务网格容器 用作所有请求的http代理.

• The service mesh pods are run as a Daemon Set, with one replica on each node.
• The service mesh is not directly reachable from outside the cluster.
• The application pods use the service mesh pod on the same node as a http proxy for all requests.

为此，我已将以下配置添加到应用程序Deployment的容器规范中:

In order to do so, I've added the following configuration to the container spec on the application Deployment:

# deployment.spec.template.spec.containers[0]
  env:
  - name: NODE_NAME
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName
  - name: HTTP_PROXY
    value: http://$(NODE_NAME):4140

但是，我无法正确公开服务网格；我已经尝试使用type: ClusterIP和type: LoadBalancer这两种服务，但是对于前者，我无法连接，而对于后者，则我公开地公开了服务网格，这是我不想做的.我还尝试过使用NodePort进行操作，但是我什至还无法弄清那里的有效配置(而且似乎有些人认为

However, I'm failing to expose the service mesh properly; I've tried with both services of type: ClusterIP and type: LoadBalancer, but with the former I fail to connect, and with the latter I expose the service mesh publicly, which I don't want to do. I've also tried to get something working with NodePort, but I haven't even been able to figure out a valid configuration there yet (and there seems to be some opinion that NodePort should be avoided if possible...).

我应该如何公开服务网格(最好在端口4140-4142和9990上)，使其可以从其他Pod到达特定节点(当前节点)上?

How should I expose the service mesh, preferrably on ports 4140-4142 and 9990, in a way that is reachable on a specific node (the current one) from other pods?

推荐答案

您可以将Pod放置在主机网络空间中.这样，您将不需要任何服务，并且Pod将可以在每个节点上在PodSpec中声明的端口上访问.

You could put your pods in the host network space. That way you won't need any Service and your Pod will be reachable on the port you declare in the PodSpec on every node.

通过将服务绑定到127.0.0.1而不是0.0.0.0，可以避免外部可达性

You could avoid external reachability by binding your service to 127.0.0.1 rather than 0.0.0.0

如果想尝试一下，可以通过将以下内容添加到DaemonSet的PodSpec中来运行主机网络空间中的端口:

If you want to give it a try, you can run a port in the host network space by adding the following to the PodSpec of your DaemonSet:

hostNetwork: true

请注意，使用此解决方案，您需要使用主机的IP地址才能连接到您的Pod.

Please be aware that, with this solution, you'll need to use the host's IP address in order to connect to your pod.

为了在hostNetworked Pod中获得内部DNS名称解析，您还需要设置DNS策略，如下所示:

In order to get internal DNS names resolution in your hostNetworked pods, you also need to set DNS policy like this:

dnsPolicy: ClusterFirstWithHostNet

这将确保您的pod可以使用内部DNS服务器进行名称解析.

This will ensure your pods will use the internal DNS server for name resolution.

这篇关于公开一个DaemonSet服务以供同一节点上的Pod使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！