Google Cloud Build 部署到 GKE 私有集群 [英] Google Cloud Build deploy to GKE Private Cluster

问题描述

我正在运行带有私有集群"选项的 Google Kubernetes Engine.我还定义了授权主网络"以能够远程访问环境 - 这很好用.现在我想使用 Google Cloud Build 设置某种 CI/CD 管道 -成功构建新的 docker 镜像后，这个新镜像应该会自动部署到 GKE.当我第一次启动新管道时，部署到 GKE 失败 - 错误消息类似于:无法连接到服务器:拨号 tcp xxx.xxx.xxx.xxx:443:i/o 超时".由于我怀疑授权主网络"选项是连接超时的根本原因，因此我已将 0.0.0.0/0 添加到允许的网络并再次启动 Cloud Build 作业 - 这次一切顺利，之后Docker 映像已创建，并已部署到 GKE.不错.

I'm running a Google Kubernetes Engine with the "private-cluster" option. I've also defined "authorized Master Network" to be able to remotely access the environment - this works just fine. Now I want to setup some kind of CI/CD pipeline using Google Cloud Build - after successfully building a new docker image, this new image should be automatically deployed to GKE. When I first fired off the new pipeline, the deployment to GKE failed - the error message was something like: "Unable to connect to the server: dial tcp xxx.xxx.xxx.xxx:443: i/o timeout". As I had the "authorized master networks" option under suspicion for being the root cause for the connection timeout, I've added 0.0.0.0/0 to the allowed networks and started the Cloud Build job again - this time everything went well and after the docker image was created it was deployed to GKE. Good.

剩下的唯一问题是我真的不想让整个互联网都能够访问我的 Kubernetes 主站 - 这是个坏主意，不是吗?

The only problem that remains is that I don't really want to allow the whole Internet being able to access my Kubernetes master - that's a bad idea, isn't it?

是否有更优雅的解决方案来通过使用允许的主网络以及能够通过云构建进行部署来缩小访问范围?

Are there more elegant solutions to narrow down access by using allowed master networks and also being able to deploy via cloud build?

推荐答案

目前无法将 Cloud Build 机器添加到 VPC.同样，Cloud Build 不会公布构建机器的 IP 范围.因此，您今天无法在该 VPC 内的 GCE 上创建ssh 堡垒实例"或代理实例".

It's currently not possible to add Cloud Build machines to a VPC. Similarly, Cloud Build does not announce IP ranges of the build machines. So you can't do this today without creating a "ssh bastion instance" or a "proxy instance" on GCE within that VPC.

我怀疑这很快就会改变.GCB 在 GKE 私有集群之前就已经存在，私有集群仍然是 Beta 功能.

I suspect this would change soon. GCB existed before GKE private clusters and private clusters are still a beta feature.

这篇关于Google Cloud Build 部署到 GKE 私有集群的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！