GKE:带有推送订阅者的 Pod 之间的 Pubsub 消息 [英] GKE: Pubsub messages between pods with push subscribers

问题描述

我在多个 Pod 中使用 GKE 部署，我需要在 Pod 之间发送和接收消息.我想使用 pubsub 推送订阅者.

I am using GKE deployment with multiple pods and I need to send and receive messages between pods. I want to use pubsub push subscribers.

我发现为了推送，我需要为订阅者 Pod 配置 https 访问.

I found for push I need to configure https access for subscribers pods.

为了接收推送消息，您需要一个可公开访问的 HTTPS 服务器来处理 POST 请求.服务器必须提供由证书颁发机构签署并可通过 DNS 路由的有效 SSL 证书.您还需要验证您是否拥有该域(或具有对端点的等效访问权限).

In order to receive push messages, you need a publicly accessible HTTPS server to handle POST requests. The server must present a valid SSL certificate signed by a certificate authority and routable by DNS. You also need to validate that you own the domain (or have equivalent access to the endpoint).

这是真的需要还是有一些解决方法.这是否意味着我应该使用 Ingress 公开每个订阅者 Pod，即使是为了内部通信?

Is this really required or is there some workaround. Does it mean I should expose each subscriber pod with Ingress, even for internal communication?

推荐答案

如果您只需要在某个端口上公开 Pod(用于 Pod 到 Pod 的通信)，那么您只需要通过面向目标的服务公开每个 Pod该端口(在您的情况下为端口 443).

If you only need pods to be exposed on a certain port (for pod to pod communication) then you would just need to expose each pod via a service that targets that port (in your case port 443).

例如，通过使用以下 YAML，您可以创建一个以 Pod 上的端口为目标的服务:

For example, by using the following YAML you can create a service which targets a port on a pod(s):

apiVersion: v1
kind: Service
metadata:
  name: my-pod
  labels:
    run: my--pod
spec:
  ports:
  - port: 443
    targetPort: 443
    protocol: TCP
  selector:
    run: my-pod

以上将创建一个服务，该服务以带有 run: my-pod 标签的任何 Pod 上的 TCP 端口 443 为目标.在文件中，targetPort 是容器(在 pod 内)接受流量的端口，port 是抽象的 Service 端口，它可以是其他 pod 使用的任何端口访问服务).

The above would create a Service which targets TCP port 443 on any Pod with the run: my-pod label. In the file, targetPort is the port the container (within the pod) accepts traffic on, and port is the abstracted Service port, which can be any port other pods use to access the Service).

但是，如果您需要 Pod 能够与 Pub-Sub API 通信，则需要具有与外部通信的能力，因此推荐使用 ingress.

However, if you need the pods to be able to communicate with the Pub-Sub API,then the ability to communicate externally is required, so yes ingress would be recommended.

在评论中回答您的问题我想知道为什么 Google 需要使用公共 HTTPS 访问 Kubernetes 而不是针对某些内部请求"-原因是它不是内部请求.Pub-Sub API 位于您的项目/网络之外，因此数据可以跨其他网络传输.为了安全起见，它需要加密——这就是使用 HTTPS 的原因.

In response to your question in the comment "I wonder why Google needs to access Kubernetes with public HTTPS instead on some internal request"- The reason is it isn't an internal request. The Pub-Sub API sits outside of your project/network, so data travels across other networks. For it to be secure, It needs to be encrypted- this is the reason HTTPS is used.

这篇关于GKE:带有推送订阅者的 Pod 之间的 Pubsub 消息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！