英文:
Control the pod domain
问题
我有 pod1 和 pod2 在同一个命名空间。
pod2 正在运行一个 HTTP 服务器。
我如何能够让 pod1 能够轻松地将 pod2 视为 pod2.mydomain.com?
这样 HTTPS 证书将可以正常工作。
英文:
I have pod1 and pod2 in the same namespace.
pod2 is running an HTTP server.
How can I easily get pod2 be seen as pod2.mydomain.com from pod1?
In this way the HTTPS certificate would work with no problem.
答案1
得分: 1
通过Kubernetes集群可以实现,使用有效的SSL证书非常重要。使用Kubernetes服务,您可以在与Pods相同的命名空间中创建一个类型为“ClusterIP”或“NodePort”的服务,并需要将Pod2的HTTP服务器暴露到一致的IP和端口。这样,您可以配置您的DNS将pod2.mydomain.com映射到服务的IP地址。或者,如果您的集群支持负载均衡,您可以创建一个类型为“LoadBalancer”的服务,并将pod2的HTTP服务器暴露到公共IP。您还可以创建一个Ingress服务,将流量路由到主机名为pod2的Pod上。有关更多信息,请查阅官方文档(链接:https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)。
英文:
It can be achieved through the kubernetes cluster and it is important to use a valid SSL certificate.
By using a Kubernetes service you can create a service of type “ClusterIP” or “NodePort” in the same namespace as the pods and you need to expose the pod2 HTTP server to a consistent IP and port. In this way you can configure your DNS to map pod2.mydomain.com to the IP address of the service.
Or if your cluster supports load balancing you can create a Service of type “LoadBalancer” and you can expose pod2 HTTP server to a public IP.
You can also create an Ingress service that routes traffic to pod 2 on the hostname.
For more information please check this official Document
答案2
得分: 1
以下是翻译好的内容:
你可以直接使用 POD 的 IP 进行访问,你的想法是可以的,不过最好使用 service 与 POD 结合使用。
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: proxy
spec:
containers:
- name: nginx
image: nginx:stable
ports:
- containerPort: 80
name: http-web-svc
---
apiVersion: v1
kind: Service
metadata:
name: service-1
spec:
selector:
app.kubernetes.io/name: proxy
ports:
- name: name-of-service-port
protocol: TCP
port: 80
targetPort: http-web-svc
Service 路由流量到匹配标签的 POD,所以从 POD1 发送请求到 service-1,它将将流量转发到 POD-1 并返回响应。
使用服务 HTTPS 也可以按照你的要求工作。使用 curl 命令进行测试,启动一个 curl pod。
kubectl run mycurlpod --image=curlimages/curl -i --tty -- sh
向服务发送 curl 请求:
curl https://service-1.<namespace-name>.svc.cluster.local
服务参考文档:https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
额外信息:
你还可以使用 ingress & service mesh,这将使你的情景变得更简单,如果你不想为应用程序管理 SSL/TLS 证书。
Service mesh 支持 mTLS auth,你可以强制策略,这样会更容易,不过需要额外的管理。
英文:
You can directly hit the POD with it's IP fine how you are thinking however it would better to use the service with POD.
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app.kubernetes.io/name: proxy
spec:
containers:
- name: nginx
image: nginx:stable
ports:
- containerPort: 80
name: http-web-svc
---
apiVersion: v1
kind: Service
metadata:
name: service-1
spec:
selector:
app.kubernetes.io/name: proxy
ports:
- name: name-of-service-port
protocol: TCP
port: 80
targetPort: http-web-svc
Service route the traffic to matching labels PODs, so from POD1 you hit the request to service-1 which will forward traffic to POD-1 and response.
https://service-1.<namespace-name>.svc.cluster.local
with service HTTPS will also work the way you asked. Test with the curl command, start one curl pod
kubectl run mycurlpod --image=curlimages/curl -i --tty -- sh
hit curl request to service
curl https://service-1.<namespace-name>.svc.cluster.local
service ref doc : https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
Extra :
You can also use the ingress & service mesh which will make little simple for you scenario if you don't want to manage SSL/TLS cert for the app.
Service mesh supports the mTLS auth you can force policy and it would be easy however there will be extra management.
答案3
得分: 0
以下是翻译好的部分:
- 安装
sudo实用程序 - 在
pod1的Dockerfile中运行此指令,假设用户是myuser:
echo 'myuser ALL=(ALL:ALL) NOPASSWD:/bin/chmod 666 /etc/hosts' > /etc/sudoers.d/chmod;
- 在运行时,从
pod1计算pod2的 IP,运行以下命令:
kubectl get pod pod2 --template {{.status.podIP}}
- 然后运行:
sudo chmod 666 /etc/hosts
- 然后在
/etc/hosts中添加以下行(将ip更改为实际 IP):
ip pod2.mydomain.com
也许这个解决方案不是最符合 Kubernetes 风格的,但它避免了我处理证书的麻烦。
我认为改变 /etc/hosts 比处理自签名证书和所有这些东西要容易得多。
英文:
In order not to change SSL certificates, and to use a specific domain, here is the technique I've used successfully:
- install the
sudoutility - Run this instruction in the
pod1'sDockerfile, supposing that the user ismyuser:
echo 'myuser ALL=(ALL:ALL) NOPASSWD:/bin/chmod 666 /etc/hosts' > /etc/sudoers.d/chmod;
- At runtime, from
pod1calculate the IP ofpod2by running:
kubectl get pod pod2 --template {{.status.podIP}}
- Then run:
sudo chmod 666 /etc/hosts
- Then add the following line in
/etc/hosts(changingipby the real IP):
ip pod2.mydomain.com
Maybe this solution is not the most Kubernetes-ish, but it avoids me to deal with certificates.
I consider changing /etc/hosts by far easier than to play with self signed cerficates and all this kind of stuff.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论