英文:
How to route connections to GKE pod through GCI
问题
我们已经在本地网络中使用了GCI来进行设置,本地设备能够ping通GKE Node的内部IP,但我们发现内部IP是不固定的。因此,我们选择使用GKE Node的外部IP,但我不确定这个IP是否可以从本地设备访问,如果可以访问,它如何知道在连接到GKE Node的外部IP时要路由到哪个Pod?
我是否需要设置其他内容,如NetworkPolicy等?
注意:我们正在使用GKE的自动驾驶模式(autopilot mode)。
2023年6月6日更新:
我目前正在尝试在Google Kubernetes Engine(GKE)中设置一个具有内部IP的Ingress,这需要一个仅代理的子网。此外,我尝试将服务类型设置为LoadBalancer(Internal)并分配一个静态IP。我还检查了广告IP范围是否在非伪装CIDR列表中。然而,结果令人不满意,因为本地设备仍然无法ping通GKE中的Pod。
英文:
We've set up on-premises networks with GCI, the local device is able to ping GKE Node internal IP, but we found the internal IP isn't fixed. So we choose to use GKE Node external IP instead, but I'm not sure if this IP is accessible from local device and if it is, how would it know which pod to route to when connecting to GKE Node external IP?
Do I need to set up something else like NetworkPolicy etc ?
note: we're using GKE autopilot mode
2023/06/06 Updates:
I'm currently attempting to set up an Ingress with an internal IP in Google Kubernetes Engine (GKE), which requires a proxy-only subnet. Additionally, I've tried setting the service type to LoadBalancer (Internal) and assigning a static IP. I also checked advertised IP ranges is on the list of nonMasqueradeCIDRs. However, the results have been unsatisfactory, as on-premises devices are still unable to ping the pods in GKE.
答案1
得分: 0
内部 IP 只应在您使用 GKE 节点的私有 IP 且使用外部 IP 会导致与防火墙相关的问题时使用。为了克服这种情况,您需要包含 Egress NAT policy,它将帮助您基于 Pod 标签和目标 IP 地址设置 SNAT。
GKE Egress NAT policy 允许您配置 Autopilot 集群的 IP 伪装行为。
GKE 支持两个自动生成的 NAT 策略,默认策略 和 由 GKE 管理的策略。默认策略 是可编辑的,它配置了默认的非伪装目标。所有所需的更改都可以在默认策略中完成。请按照 官方文档 中提到的步骤进行操作。
当数据包发送到 EgressNATPolicy 下的“CIDR”中提到的目标时,您的集群不会伪装 IP 地址源,并保留源 Pod IP 地址。
希望上述信息对您有帮助。
英文:
Internal IP should only be used if you are using the Private IP of the GKE node and if you are using External IP, issues related to firewall may occur. To overcome this situation, you need to include Egress NAT policy that will help you to set up SNAT based on pod labels and destination IP address.
The GKE Egress NAT policy lets you configure the IP masquerade behavior for Autopilot clusters.
GKE supports two automatically generated NAT policies, default policy and managed by GKE policy. The default policy is editable and it configures the default non-masquerade destinations. All the required changes can be done in the default policy. Follow the steps mentioned in the official document.
When packets are sent to the destinations mentioned in “CIDR” under EgressNATPolicy, your cluster does not masquerade IP address sources and preserves source Pod IP addresses.
Hope the above information is useful to you.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论