k8s对外提供UDP服务并保留客户端IP地址

需求

容器化dns app比如bind,保留客户端地址,k8s服务对外一个地址,need lb service

可能的方案讨论

  • service type cluster ip方式
    默认保留客户端ip;只能集群内部访问。

  • 对clusterip 设置static route从外网访问,方案不好

  • service type nodeport方式
    默认不保留。但service.spec.externalTrafficPolicy=local就可以了;前面加lb可以做到对外一个ip地址,但问题多多。

  • service type loadbalancer方式
    默认不保留客户端IP地址。
    云厂商如google/aws支持保留客户端地址,但采用metallb(onpremis)的方式暂时不支持。

    • metallb

      1. lay2 arp
        目前不支持保留客户端ip。保留客户端的方式,正在开发中,时间不可估。
        metallb本身暂时不支持proxy protocol协议,bind也暂时不支持proxy protocol协议。所以proxy protocol方式也不可以。
      2. BGP 支持保留客户端ip
        需要BGP路由器。软件BGP路由器可行吗?

  • ingress nginx,nodeport方式(onpremis)

    1. proxy protocol
      not support udp
      can deveploment upd ,but also need nginx udp protocol dev
    2. proxy bind ip透明方式 or dsr
      需要 container/pod后端和nginx端需要设置路由等
      需要先熟悉基本的ingress nginx 然后探索方便的方法进行container端的网络设置?有吗?

  • 其他ingress方式如haproxy,envoy,traefik 目前都不支持upd负载均衡。

  • 一种基于ecmp的方法
    https://github.com/Mirantis/k8s-externalipcontroller/blob/master/doc/ecmp-load-balancing.md
    有必要探索

todo

  • 先走通ingress nginx
  • 采用nodeport,因为我们只是单机集群,多个机器的k8s就不好使了。
  • 采用kubectl forward proxy方式 有什么缺点呢?
  • 探索最后一种基于ecmp的方法同时进行metalb的开发。

analysis

some solutions,efailovr=eternalfailover ifailover=internalfailover ,same as loadbalance eloadbalance=elb

  1. nginx ingress(nodeport) + dns service(no elb,no efailover, no considering ingress nignx’s lb feature;);
  2. keepalive-vip + nginx ingress(nodeport) + dns service , only efailover,nignx ingree add lb feature ;
  3. keepalive-vip + dns service(nodeport) ,no elb,only efailover;
  4. metalb bgp + nginx ingress(loadbalance type) +dns service (have elb and efailover,and ingress add lb feature);
  5. metalb bgp + dns service(few compotent compared with above,have elb + efailover)
  6. metalb layer2 + dns service(few compotent compared with above,have efailover,no elb )
  7. metalb layer2 + nginx ingress(loadbalance type) +dns service (have efailover but ingress add lb feature);
  8. k8s-externalipcontroller ?need explore later

we need presever client ip,need elb feature,so i think those three solutions are promising.
2,but ingress nginx need config upd proxy bind.
5,look simple ,but need bgp things
7,use layer2,but now have not impl preserver ip.

Webmentions

Loading...

When you post a tweet with a link to this post it will automatically show up here! (refreshed every 30 minutes) 💯

A small favor

Was anything I wrote confusing, outdated, or incorrect? Please let me know! Just write a few words below and I'll be sure to amend this post with your suggestions.

Follow along

If you want to know about new posts, add your email below. Alternatively, you can subscribe with RSS.

More from 格物治用

实践、探索、思考.

View all posts