Kubernetes 容器连接到单独 VPC 中的 RDS 实例 [英] Kubernetes container connection to RDS instance in separate VPC

问题描述

我有一个 Kubernetes 集群在其自己的 VPC 内的 Amazon EC2 中运行，我正在尝试让 Dockerized 服务连接到 RDS 数据库(位于不同的 VPC 中).我已经找出了对等互连和路由表条目，因此我可以从 minion 机器上执行此操作:

I have a Kubernetes cluster running in Amazon EC2 inside its own VPC, and I'm trying to get Dockerized services to connect to an RDS database (which is in a different VPC). I've figured out the peering and routing table entries so I can do this from the minion machines:

ubuntu@minion1:~$ psql -h <rds-instance-name>
Password:

所以这一切正常.问题是，当我尝试从 Kubernetes 管理的容器内部建立该连接时，出现超时:

So that's all working. The problem is that when I try to make that connection from inside a Kubernetes-managed container, I get a timeout:

ubuntu@pod-1234:~$ psql -h <rds-instance-name>
…

为了让 minion 连接，我配置了一个对等连接，从 Kubernetes VPC 设置路由表，以便 10.0.0.0/16(RDS VPC 的 CIDR)映射到对等连接，并更新了 RDS 实例的安全组，以允许从地址范围 172.20.0.0/16(Kubernetes VPC 的 CIDR)到端口 5432 的流量.

To get the minion to connect, I configured a peering connection, set up the routing tables from the Kubernetes VPC so that 10.0.0.0/16 (the CIDR for the RDS VPC) maps to the peering connection, and updated the RDS instance's security group to allow traffic to port 5432 from the address range 172.20.0.0/16 (the CIDR for the Kubernetes VPC).

推荐答案

在 Kelsey Hightower 的帮助下，我解决了这个问题.事实证明这是一个 Docker 路由问题.我在博文，但最重要的是像这样改变minions的路由表:

With the help of Kelsey Hightower, I solved the problem. It turns out it was a Docker routing issue. I've written up the details in a blog post, but the bottom line is to alter the minions' routing table like so:

$ sudo iptables -t nat -I POSTROUTING -d <RDS-IP-ADDRESS>/32 -o eth0 -j MASQUERADE

这篇关于Kubernetes 容器连接到单独 VPC 中的 RDS 实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！