GKE 节点的互联网连接
Internet connectivity for GKE nodes
我使用以下命令创建了一个 GKE 集群:
gcloud container clusters create experiment --num-nodes=1 --network default --subnetwork default --enable-private-nodes --enable-private-endpoint --enable-ip-alias --master-ipv4-cidr 172.16.0.16/28 --no-enable-basic-auth --no-issue-client-certificate
我的 VPC 防火墙中没有出口规则
我在适用于 GKE 节点并允许互联网访问的 VPC 路由下有一个自动创建的默认路由。
在 GKE 节点上我可以:
$ docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
bb79b6b2107f: Pull complete
111447d5894d: Pull complete
a95689b8e6cb: Pull complete
1a0022e444c2: Pull complete
32b7488a3833: Pull complete
Digest: sha256:ed7f815851b5299f616220a63edac69a4cc200e7f536a56e421988da82e44ed8
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
6a5697faee43: Pull complete
ba13d3bc422b: Pull complete
a254829d9e55: Pull complete
Digest: sha256:fff16eea1a8ae92867721d90c59a75652ea66d29c05294e6e2f898704bdb8cf1
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest
但我不能:
$ wget https://www.amazon.com
--2020-10-31 19:22:44-- https://www.amazon.com/
Resolving www.amazon.com... 13.226.21.44
Connecting to www.amazon.com|13.226.21.44|:443...
但我可以:
$ wget https://www.google.com
--2020-10-31 19:23:15-- https://www.google.com/
Resolving www.google.com... 172.217.212.147, 172.217.212.99, 172.217.212.106, ...
Connecting to www.google.com|172.217.212.147|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html.1'
index.html.1 [ <=> ] 12.48K --.-KB/s in 0s
2020-10-31 19:23:15 (72.1 MB/s) - 'index.html.1' saved [12782]
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.128.0.1 0.0.0.0 UG 1024 0 0 eth0
10.108.2.0 0.0.0.0 255.255.255.0 U 0 0 0 cbr0
10.128.0.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
169.254.123.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0
GKE 节点上的互联网连接发生了什么。我可以到达 docker 中心但不能到达 www.amazon.com?这里有点混乱。
Whats happening with internet connectivity on GKE nodes. I can reach
docker hub but not www.amazon.com ? Little confused here.
我知道乍一看可能有点令人困惑,因为 您可能认为您确实可以访问 到 Docker Hub .嗯,事实上 你不需要。
你尝试过 curl https://hub.docker.com/ 吗?我想你没有。如果这样做,您会注意到它也失败了。
如你所见here:
Nodes in a private cluster do not have outbound access to the public
internet. They have limited access to Google APIs and services,
including Container Registry.
那么,这里到底发生了什么?
您不是直接从 Docker Hub 中提取图像,而是从它的镜像中提取图像,该镜像由 Google Container Registry 维护。您可以通过一种非常简单的方式检查它。如果你拉 nginx(等于 nginx:latest)它工作得很好,但是如果你尝试拉 nginx:1.14.2 它会失败。这是因为 GCR 不会在 Docker Hub 上保留所有图像的旧版本。 官方文档中也提到了:
You cannot fetch images directly from Docker Hub. Instead, use images
hosted on Container Registry. Note that while Container Registry's
Docker Hub
mirror
is accessible from a private cluster, it should not be exclusively
relied upon. The mirror is only a cache, so images are periodically
removed, and a private cluster is not able to fall back to Docker Hub.
我前段时间在 answer so you may also want to take a look at it. It is also well explained in the official docs.
中详细解释过
But I can:
$ wget https://www.google.com
拜托,你在 GCP 平台上,所以你正在从 Google 的 网络中访问 google.com,这个可能是不是在此特定云平台上测试与 public 互联网连接的最佳选择。
我使用以下命令创建了一个 GKE 集群:
gcloud container clusters create experiment --num-nodes=1 --network default --subnetwork default --enable-private-nodes --enable-private-endpoint --enable-ip-alias --master-ipv4-cidr 172.16.0.16/28 --no-enable-basic-auth --no-issue-client-certificate
我的 VPC 防火墙中没有出口规则 我在适用于 GKE 节点并允许互联网访问的 VPC 路由下有一个自动创建的默认路由。
在 GKE 节点上我可以:
$ docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
bb79b6b2107f: Pull complete
111447d5894d: Pull complete
a95689b8e6cb: Pull complete
1a0022e444c2: Pull complete
32b7488a3833: Pull complete
Digest: sha256:ed7f815851b5299f616220a63edac69a4cc200e7f536a56e421988da82e44ed8
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
6a5697faee43: Pull complete
ba13d3bc422b: Pull complete
a254829d9e55: Pull complete
Digest: sha256:fff16eea1a8ae92867721d90c59a75652ea66d29c05294e6e2f898704bdb8cf1
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest
但我不能:
$ wget https://www.amazon.com
--2020-10-31 19:22:44-- https://www.amazon.com/
Resolving www.amazon.com... 13.226.21.44
Connecting to www.amazon.com|13.226.21.44|:443...
但我可以:
$ wget https://www.google.com
--2020-10-31 19:23:15-- https://www.google.com/
Resolving www.google.com... 172.217.212.147, 172.217.212.99, 172.217.212.106, ...
Connecting to www.google.com|172.217.212.147|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html.1'
index.html.1 [ <=> ] 12.48K --.-KB/s in 0s
2020-10-31 19:23:15 (72.1 MB/s) - 'index.html.1' saved [12782]
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.128.0.1 0.0.0.0 UG 1024 0 0 eth0
10.108.2.0 0.0.0.0 255.255.255.0 U 0 0 0 cbr0
10.128.0.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
169.254.123.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0
GKE 节点上的互联网连接发生了什么。我可以到达 docker 中心但不能到达 www.amazon.com?这里有点混乱。
Whats happening with internet connectivity on GKE nodes. I can reach docker hub but not www.amazon.com ? Little confused here.
我知道乍一看可能有点令人困惑,因为 您可能认为您确实可以访问 到 Docker Hub .嗯,事实上 你不需要。
你尝试过 curl https://hub.docker.com/ 吗?我想你没有。如果这样做,您会注意到它也失败了。
如你所见here:
Nodes in a private cluster do not have outbound access to the public internet. They have limited access to Google APIs and services, including Container Registry.
那么,这里到底发生了什么?
您不是直接从 Docker Hub 中提取图像,而是从它的镜像中提取图像,该镜像由 Google Container Registry 维护。您可以通过一种非常简单的方式检查它。如果你拉 nginx(等于 nginx:latest)它工作得很好,但是如果你尝试拉 nginx:1.14.2 它会失败。这是因为 GCR 不会在 Docker Hub 上保留所有图像的旧版本。 官方文档中也提到了:
You cannot fetch images directly from Docker Hub. Instead, use images hosted on Container Registry. Note that while Container Registry's Docker Hub mirror is accessible from a private cluster, it should not be exclusively relied upon. The mirror is only a cache, so images are periodically removed, and a private cluster is not able to fall back to Docker Hub.
我前段时间在
But I can:
$ wget https://www.google.com
拜托,你在 GCP 平台上,所以你正在从 Google 的 网络中访问 google.com,这个可能是不是在此特定云平台上测试与 public 互联网连接的最佳选择。