我有一个phpmyadmin服务运行在kubernetes集群上。我想在谷歌云上保留一个外部IP(静态),以便与此服务一起使用,以便可以从互联网访问。我尝试在GCP上保留一个IP地址,并在kubernetes服务文件中使用它,如下所示:
apiVersion: v1
kind: Service
metadata:
annotations:
kompose.cmd: /snap/kompose/19/kompose-linux-amd64 convert
kompose.version: 1.21.0 (992df58d8)
creationTimestamp: null
labels:
io.kompose.service: phpmyadmin
name: phpmyadmin
spec:
externalIPs: [xx.xxx.xxx.xxx] #the external IP from Google cloud
ports:
- name: "8080"
port: 8080
targetPort: 80
selector:
io.kompose.service: phpmyadmin
status:
loadBalancer: {}
当我指定spec.type: LoadBalancer时,则可以使用从type: LoadBalancer生成的默认IP地址从互联网访问该服务。
我试图通过允许8080端口上的入口来更改外部IP地址的防火墙规则,但这不起作用。
不设置exteranlIPs,而设置spec.loadBalancerIP,spec.type为LoadBalancer值:
apiVersion: v1
kind: Service
metadata:
annotations:
kompose.cmd: /snap/kompose/19/kompose-linux-amd64 convert
kompose.version: 1.21.0 (992df58d8)
creationTimestamp: null
labels:
io.kompose.service: phpmyadmin
name: phpmyadmin
spec:
ports:
- name: "8080"
port: 8080
targetPort: 80
selector:
io.kompose.service: phpmyadmin
type: LoadBalancer
loadBalancerIP: "YOUR_IP_ADDRESS"
status:
loadBalancer: {}
请注意,通过外部静态IP暴露您的pod只支持区域负载均衡流量,因此您保留的静态IP地址需要是区域的。
对于全局IP地址,需要通过Ingress对象公开一个HTTP(s) Load Balancer。
防火墙规则在实例级应用。它们不能阻止流量到达负载均衡器本身。
参考:https://cloud.google.com/load-balancing/docs/https/#firewall_rules
GKE LB服务可能正在创建HTTP负载均衡器默认情况下,也许你可以检出NLB负载均衡器: https://cloud.google.com/load-balancing/docs/choosing-load-balancer summary-of-google-cloud-load-balancers
所有端口:https://cloud.google.com/kubernetes-engine/docs/how-to/service-parameters#all_ports
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
annotations:
cloud.google.com/neg: '{"exposed_ports": {"8080":{}}}'
spec:
ports:
- name: 8080-8080
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: helloworld
# Use LoadBalancer type instead of ClusterIP
type: LoadBalancer
示例:https://spring-gcp.saturnism.me/deployment/kubernetes/load-balancing/external-load-balancing