使用无选择器服务和手动端点从 microk8s pod 访问外部 InfluxDb 数据库?

Accessing an external InfluxDb Database from a microk8s pod using selectorless service and manual endpoint?

要点:我正在努力让 pod 连接到集群外部的服务。 基本上,pod 设法解析无选择器服务的 ClusterIp,但流量不通过。如果我从集群主机点击无选择器服务的 ClusterIp,流量确实会通过。

总的来说,我对 microk8s 和 k8s 还很陌生。我希望我说得有道理...

背景:

我正在尝试将我的部分基础设施从一台虚拟机上的 docker-compose 设置移动到 microk8s 集群(有 2 个节点)。

在 docker 撰写中,我有一个 Grafana 容器,连接到一个 InfluxDb 容器。

kubectl 版本:

Client Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.2-3+9ad9ee77396805", GitCommit:"9ad9ee77396805781cd0ae076d638b9da93477fd", GitTreeState:"clean", BuildDate:"2021-09-30T09:52:57Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}

我现在想在 microk8s 集群上设置一个 Grafana 容器,并让它连接到仍在 运行 docker-compose 虚拟机上的 InfluxDb。

所有这些 VM 都 运行 在 ESXi 主机上。

我启用了入口和 DNS。我也启用了 metallb,虽然我不打算在这里使用它。

我已经配置了无选择器服务、远程端点和出口网络策略(当前允许所有)。

从microk8s-master和slave-1,我可以

在 Pod 内,如果我对 influxdb-service:8086 执行 wget,它将解析为 ClusterIP,但之后会超时。 但是,我可以访问 (wget),指向同一命名空间

中的其他 pods 的服务

更新:

我已经能够通过解决方法让它工作,但我认为这不是正确的方法。

我的临时解决方案是在 metallb 上公开 selectorless 服务,然后在 pod 中使用该公开的 ip。

InfluxDb 的服务和端点

---
apiVersion: v1
kind: Service
metadata:
  name: influxdb-service
  labels:
    app: grafana
spec:
  ports:
    - protocol: TCP
      port: 8086
      targetPort: 8086
---
apiVersion: v1
kind: Endpoints
metadata:
  name: influxdb-service
subsets:
  - addresses:
      - ip: 10.1.2.220
    ports:
      - port: 8086

服务和端点显示正常

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl get endpoints
NAME                ENDPOINTS                             AGE
neo4j-service-lb    10.1.166.176:7687,10.1.166.176:7474   25h
influxdb-service    10.1.2.220:8086                       127m
questrest-service   10.1.166.178:80                       5d
kubernetes          10.1.2.50:16443,10.1.2.51:16443       26d
grafana-service     10.1.237.120:3000                     3h11m

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl get svc
NAME                TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE
kubernetes          ClusterIP      10.152.183.1     <none>        443/TCP                         26d
questrest-service   ClusterIP      10.152.183.56    <none>        80/TCP                          5d
neo4j-service-lb    LoadBalancer   10.152.183.166   10.1.2.60     7474:31974/TCP,7687:32688/TCP   25h
grafana-service     ClusterIP      10.152.183.75    <none>        3000/TCP                        3h13m
influxdb-service    ClusterIP      10.152.183.26    <none>        8086/TCP                        129m

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl get networkpolicy
NAME                            POD-SELECTOR    AGE
grafana-allow-egress-influxdb   app=grafana     129m
test-egress-influxdb            app=questrest   128m

描述:

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl describe svc influxdb-service
Name:              influxdb-service
Namespace:         default
Labels:            app=grafana
Annotations:       <none>
Selector:          <none>
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.152.183.26
IPs:               10.152.183.26
Port:              <unset>  8086/TCP
TargetPort:        8086/TCP
Endpoints:         10.1.2.220:8086
Session Affinity:  None
Events:            <none>

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl describe endpoints influxdb-service
Name:         influxdb-service
Namespace:    default
Labels:       <none>
Annotations:  <none>
Subsets:
  Addresses:          10.1.2.220
  NotReadyAddresses:  <none>
  Ports:
    Name     Port  Protocol
    ----     ----  --------
    <unset>  8086  TCP

Events:  <none>

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl describe networkpolicy grafana-allow-egress-influxdb
Name:         grafana-allow-egress-influxdb
Namespace:    default
Created on:   2021-11-03 20:53:00 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=grafana
  Not affecting ingress traffic
  Allowing egress traffic:
    To Port: <any> (traffic allowed to all ports)
    To: <any> (traffic not restricted by destination)
  Policy Types: Egress

Grafana.yml:

eso@microk8s-master:~/k8s-grafana$ cat grafana.yml
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: grafana-pv
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  storageClassName: ""
  claimRef:
    name: grafana-pvc
    namespace: default
  persistentVolumeReclaimPolicy: Retain
  nfs:
    path: /mnt/MainVol/grafana
    server: 10.2.0.1
    readOnly: false
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: grafana-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: ""
  volumeName: grafana-pv
  resources:
    requests:
      storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: grafana
  name: grafana
spec:
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        fsGroup: 472
        supplementalGroups:
          - 0
      containers:
        - name: grafana
          image: grafana/grafana:7.5.2
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
              name: http-grafana
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /robots.txt
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: 3000
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 250m
              memory: 750Mi
          volumeMounts:
            - mountPath: /var/lib/grafana
              name: grafana-pv
      volumes:
        - name: grafana-pv
          persistentVolumeClaim:
            claimName: grafana-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: grafana-service
spec:
  ports:
    - port: 3000
      protocol: TCP
      targetPort: http-grafana
  selector:
    app: grafana
  #sessionAffinity: None
  #type: LoadBalancer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: "g2.some.domain.com"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grafana-service
            port:
              number: 3000
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: grafana-allow-egress-influxdb
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: grafana
  ingress:
  - {}
  egress:
  - {}
  policyTypes:
  - Egress

由于我没有得到太多回应,我将用我的“解决方法”来回答这个问题。我仍然不确定这是最好的方法。

我通过在 metallb 上公开 selectorless 服务,然后在 grafana 中使用公开的 ip 使其工作

kind: Service
apiVersion: v1
metadata:
  name: influxdb-service-lb
  #namespace: ingress
spec:
  type: LoadBalancer
  loadBalancerIP: 10.1.2.61
#  selector:
#    app: grafana
  ports:
  - name: http
    protocol: TCP
    port: 8086
    targetPort: 8086
---
apiVersion: v1
kind: Endpoints
metadata:
  name: influxdb-service-lb
subsets:
  - addresses:
      - ip: 10.1.2.220
    ports:
      - name: influx
        protocol: TCP
        port: 8086

然后我在grafana(10.1.2.61)中使用负载均衡器ip