AKS Kubenet 为您带来子网、可路由和 AGIC AKS 集成
只是一个问题,在微软页面上 https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#bring-your-own-subnet-and-route-table-with-kubenet 它说
“使用 kubenet,您的集群子网上必须存在路由表。AKS 支持引入您自己的现有子网和路由表。 如果您的自定义子网不包含路由表,AKS 会为您创建一个路由表,并在整个集群生命周期中向其中添加规则。如果您的自定义子网在您创建集群时包含路由表,AKS 会在集群操作期间确认现有路由表,并为云提供商操作相应地添加/更新规则。”
此外,对于带有 Appgateway 的 AGIC,您还需要如果是 kubenet,则将此路由表链接到应用程序网关子网 https://learn.microsoft.com/en-us/ azure/application-gateway/configuration-infrastruct
“如果您将 kubenet 与 Azure Kubernetes 服务 (AKS) 和应用程序网关入口控制器 (AGIC) 结合使用,则需要一个路由表来允许从应用程序网关发送到 Pod 的流量路由到正确的节点,如果您使用 Azure CNI,则不需要这样做。”
因此,这带来了一个有趣的问题,如果我的客户希望拥有默认流量,该怎么办?从 AKS 子网 0.0.0.0/0 到 NVA(例如 Azure 防火墙),我认为这并不罕见。但是,这似乎破坏了应用程序网关子网,因为应用程序网关子网不允许默认路由到 NVA。
如何解决这个问题?也许有两个路由表,但我想知道 AKS 是否可以更新这两个路由表?
just a question, on microsoft page
https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#bring-your-own-subnet-and-route-table-with-kubenet
it says
"With kubenet, a route table must exist on your cluster subnet(s). AKS supports bringing your own existing subnet and route table.
If your custom subnet does not contain a route table, AKS creates one for you and adds rules to it throughout the cluster lifecycle. If your custom subnet contains a route table when you create your cluster, AKS acknowledges the existing route table during cluster operations and adds/updates rules accordingly for cloud provider operations."
also, for AGIC with Appgateway, you also need to link this routetable to app gateway subnet if it's kubenet
https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure
"If you're using kubenet with Azure Kubernetes Service (AKS) and Application Gateway Ingress Controller (AGIC), you'll need a route table to allow traffic sent to the pods from Application Gateway to be routed to the correct node. This won't be necessary if you use Azure CNI."
so this brings a interesting question, what if my client wants to have default traffic from AKS subnet 0.0.0.0/0 to a NVA such as Azure firewall, I don't think this is very uncommon. However, this seems to break App gateway subnet, because app gateway subnet, doesn't allow default route to NVA.
how to get around that? perhaps two routetables but i'm wondering if AKS can update on both?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
嘿,OP,这是一个棘手的问题,但微软确实有一些相关的文档。应用程序网关需要能够路由到互联网和后端集群。 (https://learn.microsoft .com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway)
我使用以下配置:
路由表 #1
路由 1
路由 2
关联子网:AKS 群集子网
路由表 #2
路由 1
路由 2
关联子网 - 应用程序网关子网
Hey OP this is a tricky one, but Microsoft does have some documentation for it. The app gateway needs to be able to route to the internet and the backend cluster. (https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway)
I use the following configuration:
Route Table #1
Route 1
Route 2
Associated Subnet: AKS Cluster Subnet
Route Table #2
Route 1
Route 2
Associated Subet - App Gateway Subnet