访问不同地区的私有 GKE 集群?

huangapple go评论77阅读模式
英文:

Access private GKE clusters from a different region?

问题

我已经创建了一个GKE集群,使用以下命令:

gcloud beta container clusters create "cluster-asia-south1" \
    --region "asia-south1" \
    --project "project123" \
    --cluster-version "1.14.8-gke.12" \
    --machine-type "n1-standard-1" \
    --image-type "COS" --disk-type "pd-standard" --disk-size "100" \
    --scopes "https://www.googleapis.com/auth/cloud-platform" \
     --num-nodes "1" \
    --no-enable-basic-auth \
    --metadata disable-legacy-endpoints=true \
    --max-pods-per-node "110" --enable-stackdriver-kubernetes \
    --enable-ip-alias \
    --network "projects/project123/global/networks/default" \
    --subnetwork "projects/project123/regions/asia-south1/subnetworks/default" \
    --default-max-pods-per-node "110" \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing \
    --no-enable-autoupgrade \
    --no-enable-autorepair \
    --node-locations asia-south1-a,asia-south1-b

我了解这个集群可以从asia-south1区域内的VM访问(例如gcp-vm-asia-south1-a)。

因此,我在这个VM(gcp-vm-asia-south1-a)上安装了一个OpenVPN服务器。现在,当我从我的本地系统连接到这个VM时,我能够访问集群的主端点,以下命令也正常工作:

gcloud container clusters get-credentials "cluster-asia-south1" --region "asia-south1"

然后kubectl get pods也正常工作,我也能够通过Helm进行连接。

假设我在同一VPC但不同区域(比如cluster-us-central1cluster-us-west1)中有两个更多的集群。我如何使用同一个OpenVPN服务器来访问这些集群?

我明白如果我为每个区域设置一个OpenVPN服务器,我将能够连接到相应的VPN服务器,并且从该区域访问GKE集群将没有问题。

但我不想管理三个OpenVPN服务器,每个区域一个。管理一个堡垒主机,一些iptables转发规则或类似的东西应该可以。

这个想法是为一个VPC保留一个OpenVPN服务器,无论有多少个区域。这是否可行,是否有办法做到这一点?

我尝试在--master-authorized-networks中添加VM、子网和客户端的私有IP范围,但什么都不起作用(我认为这是因为它们都来自不同的区域)。

英文:

I have created a GKE cluster using the below command:

gcloud beta container clusters create "cluster-asia-south1" \
    --region "asia-south1" \
    --project "project123" \
    --cluster-version "1.14.8-gke.12" \
    --machine-type "n1-standard-1" \
    --image-type "COS" --disk-type "pd-standard" --disk-size "100" \
    --scopes "https://www.googleapis.com/auth/cloud-platform" \
     --num-nodes "1" \
    --no-enable-basic-auth \
    --metadata disable-legacy-endpoints=true \
    --max-pods-per-node "110" --enable-stackdriver-kubernetes \
    --enable-ip-alias \
    --network "projects/project123/global/networks/default" \
    --subnetwork "projects/project123/regions/asia-south1/subnetworks/default" \
    --default-max-pods-per-node "110" \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing \
    --no-enable-autoupgrade \
    --no-enable-autorepair \
    --node-locations asia-south1-a,asia-south1-b

I understand this cluster can be accessed from the VMs inside asia-south1 region (e.g gcp-vm-asia-south1-a).

Hence I installed an OpenVPN server in this VM (gcp-vm-asia-south1-a). Now when I connect to this VM from my local system, I am able to access the clusters master endpoint and below command works fine:

gcloud container clusters get-credentials "cluster-asia-south1" --region "asia-south1"

And then kuebctl get pods works fine and I am able to connect via Helm as well.

Suppose I have two more clusters in the same VPC but different regions (say cluster-us-central1 and cluster-us-west1). How do I use the same OpenVPN server to access these clusters as well?

I understand if I set up one OpenVPN server per region I will be able to connect to the respective VPN server and GKE cluster from that region will be accessible without a problem.

But I do not wanna manage three OpenVPN servers one in each region. Managing a bastion hots a few iptables or forwarding rules or something similar should be fine.

The idea is to keep one OpenVPN server for one VPC no matter how many regions are there. Is this feasible somehow, is there any way to do this?

I tried adding VMs, subnets, and client's private IP ranges in --master-authorized-networks but nothing works ( I think because they all are from different regions).

答案1

得分: 0

Did you use --enable-master-authorized-networks flag with --master-authorized-networks as it was mentioned in the documentation? Did you check masterAuthorizedNetworksConfig: with command gcloud container clusters describe [CLUSTER_NAME]?

Do you have any firewall rules that could restrict access to other clusters from your OpenVPN server?

EDIT The cause of your problem with connectivity could be using subnets from different regions: "A VPC network is a global resource, but individual subnets are regional resources" and "Regional resources are accessible by any resources within the same region".

英文:

Did you use --enable-master-authorized-networks flag with --master-authorized-networks as it was mentioned in the documentation? Did you check masterAuthorizedNetworksConfig: with command gcloud container clusters describe [CLUSTER_NAME]?

Do you have any firewall rules that could restrict access to other clusters from your OpenVPN server?

EDIT The cause of you problem with connectivity could be using subnets from different regions: "A VPC network is a global resource, but individual subnets are regional resources" and "Regional resources are accessible by any resources within the same region".

答案2

得分: 0

我按照这篇来自GCP的博客部署了代理,并且在同一地区还有另一台VM上部署了OpenVPN服务器。

我将我的本地机器连接到了OpenVPN服务器,并使用博客中显示的https_proxy=LOCAD_BALANCER_IP:PORT变量来更改我的代理。

现在,我的本地机器能够与GKE集群的Master IP进行交互,因为Master认为请求来自集群内部部署的代理服务。这个代理服务认为请求不是来自该地区之外,而是来自相同地区和VPC中的OpenVPN服务器(VM)。

英文:

I followed this blog from GCP to deploy the proxy and there is another VM in the same region with OpenVPN server deployed on it.

I connect my local machine to the OpenVPN server and change my proxy using https_proxy=LOCAD_BALANCER_IP:PORT variable shown in the blog.

Now my local machine is able to interact with the Master IP of the GKE cluster as the master thinks the request is coming from the proxy service deployed inside the cluster. This proxy service thinks the request is not coming from outside the region but from the OpenVPN server (VM) in the same region and VPC.

huangapple
  • 本文由 发表于 2020年1月3日 23:03:39
  • 转载请务必保留本文链接:https://go.coder-hub.com/59580847.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定