我正在尝试在 GKE 集群前使用Cloud Armor 自适应保护。我从 contino-engineering 中找到了本指南,而这本从always up always on 中找到。但是,这两个都使用了一个简单的 hello world 示例,我正在尝试通过使用 istio 中的bookinfo示例来部署(希望如此?)更现实的部署。(我使用在线精品店也有类似的结果。)
问题是后端永远不会变得健康。我假设这是因为健康检查器无法访问健康检查服务,但我对这一切都很陌生,不确定如何验证。
这是我用于部署集群的 TF。请注意,这ip_allocation_policy相当于--enable-ip-aliasesgcloud 参数......我认为。我没有在这里启用 CloudRun 以简化事情。
集群 tf
resource "google_container_cluster" "primary" {
provider = google-beta
name = "my-gke-cluster"
location = "us-central1"
# We can't create a cluster with no node pool defined, but we want to only use
# separately managed node pools. So we create the smallest possible default
# node pool and immediately delete it.
remove_default_node_pool = true
initial_node_count = 4
networking_mode = "VPC_NATIVE"
ip_allocation_policy {
// Set to blank to have a range chosen with the default size
cluster_ipv4_cidr_block = ""
}
addons_config {
istio_config {
disabled = false
auth = "AUTH_MUTUAL_TLS"
}
}
}
获得信任后,我应用我的后端配置来允许(?)/启用(?)健康检查。
cat <<EOF > /tmp/backendconfig.yaml
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
spec:
healthCheck:
requestPath: /healthz/ready
port: 15021
type: HTTP
securityPolicy:
name: my-security-policy
EOF
kubectl apply -n istio-system -f /tmp/backendconfig.yaml
然后我修补入口网关:
cat <<EOF > /tmp/patch.yaml
spec:
type: NodePort
metadata:
annotations:
cloud.google.com/neg: '{"ingress": true}'
cloud.google.com/backend-config: '{"default": "my-backendconfig"}'
status: null
EOF
kubectl patch svc istio-ingressgateway -n istio-system --patch-file /tmp/patch.yaml
最后,应用入口资源
cat <<EOF > /tmp/istio-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: istio-ingressgateway
port:
number: 80
EOF
kubectl apply -n istio-system -f /tmp/istio-ingress.yaml
推出新的 Pod 以获得更好的效果:
kubectl rollout restart deploy -n istio-system
等待 10 多分钟后,我在 Google 控制台中看到新的负载均衡器显示不正常的后端:
