Kubernetes API 服务器 --bind-address 与 --advertise-address
Kubernetes API server --bind-address vs --advertise-address
根据 referrence,kube-apiserver 的两个选项是 --bind-address 和 --advertise-address 在我看来它们相互冲突。
两者之间的 is/are 实际差异是什么?
--bind-address 是 kube-apiserver 进程将侦听的地址吗?
--advertise-address kube-apiserver 将公布的地址是它将监听的地址吗?如果有,它是如何做广告的?它会通过网络进行某种广播吗?
根据您引用的 reference-kube-apiserver:
--advertise-address ip The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used.
和
--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). (default 0.0.0.0)
这些参数是可配置的,但请记住它们应该在集群引导期间指定。
API server ports and IP addresses
- 默认的“安全端口”是
6443,但可以通过
--secure-port 标志。如 documentation 中所述 - 主节点应为其他集群组件公开安全端口以与 Kubernetes API 服务器通信。
- 默认 IP 是第一个非本地主机网络接口,但可以
使用
--bind-address 标志更改。
上述参数(--secure-port 和 --bind-address)允许您为 Kubernetes API 配置带有安全端口的网络接口。
如前所述,如果您不指定任何值:
By default it would be default IP is first non-localhost network interface and 6443 port.
请注意:
--advertise-address 将被 kube-apiserver 用于为 kubernetes 控制器通告此地址,该控制器负责为 kubernetes.default.svc 准备端点(核心 Service 负责内部应用程序与 API 服务器)。此 Kubernetes 服务 VIP 由 kube-proxy 配置为每个节点负载平衡。
有关 kubernetes.default.svc 和 kubernetes 控制器的更多信息,请参见 here。
Cluster <-> Master communication
All communication paths from the cluster to the master terminate at the apiserver (none of the other master components are designed to expose remote services). In a typical deployment, the apiserver is configured to listen for remote connections on a secure HTTPS port (443)
The kubernetes service is configured with a virtual IP address that is redirected (via kube-proxy) to the HTTPS endpoint on the apiserver.
There are two primary communication paths from the master (apiserver) to the cluster. The first is from the apiserver to the kubelet process which runs on each node in the cluster. The second is from the apiserver to any node, pod, or service through the apiserver’s proxy functionality.
此外,您可以通过阅读 master-node-communication and control-plane-node-communication.
了解有关集群内通信的更多信息
根据 referrence,kube-apiserver 的两个选项是 --bind-address 和 --advertise-address 在我看来它们相互冲突。
两者之间的 is/are 实际差异是什么?
--bind-address 是 kube-apiserver 进程将侦听的地址吗?
--advertise-address kube-apiserver 将公布的地址是它将监听的地址吗?如果有,它是如何做广告的?它会通过网络进行某种广播吗?
根据您引用的 reference-kube-apiserver:
--advertise-address ip The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used.
和
--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). (default 0.0.0.0)
这些参数是可配置的,但请记住它们应该在集群引导期间指定。
API server ports and IP addresses
- 默认的“安全端口”是
6443,但可以通过--secure-port标志。如 documentation 中所述 - 主节点应为其他集群组件公开安全端口以与 Kubernetes API 服务器通信。 - 默认 IP 是第一个非本地主机网络接口,但可以
使用
--bind-address标志更改。
上述参数(--secure-port 和 --bind-address)允许您为 Kubernetes API 配置带有安全端口的网络接口。
如前所述,如果您不指定任何值:
By default it would be default IP is first non-localhost network interface and 6443 port.
请注意:
--advertise-address 将被 kube-apiserver 用于为 kubernetes 控制器通告此地址,该控制器负责为 kubernetes.default.svc 准备端点(核心 Service 负责内部应用程序与 API 服务器)。此 Kubernetes 服务 VIP 由 kube-proxy 配置为每个节点负载平衡。
有关 kubernetes.default.svc 和 kubernetes 控制器的更多信息,请参见 here。
Cluster <-> Master communication
All communication paths from the cluster to the master terminate at the apiserver (none of the other master components are designed to expose remote services). In a typical deployment, the apiserver is configured to listen for remote connections on a secure HTTPS port (443) The kubernetes service is configured with a virtual IP address that is redirected (via kube-proxy) to the HTTPS endpoint on the apiserver.
There are two primary communication paths from the master (apiserver) to the cluster. The first is from the apiserver to the kubelet process which runs on each node in the cluster. The second is from the apiserver to any node, pod, or service through the apiserver’s proxy functionality.
此外,您可以通过阅读 master-node-communication and control-plane-node-communication.
了解有关集群内通信的更多信息