Kubernetes:向环境添加入口内部ip
Kubernetes:向环境添加入口内部ip
提问于 2020-01-11 21:28:49
对于.net核心应用程序,我需要nginx入口的内部IP地址来信任代理并处理其转发的报头。
这是在我的应用程序中使用以下代码完成的:
forwardedHeadersOptions.KnownProxies.Add(IPAddress.Parse("10.244.0.16"));现在它是硬编码的。但是,如何将此IP地址放入容器的环境变量中呢?
给定的IP地址似乎是ingress-nginx名称空间中ingress-nginx服务的端点:
❯ kubectl describe service ingress-nginx -n ingress-nginx
Name: ingress-nginx
Namespace: ingress-nginx
Labels: app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/par...
Selector: app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
Type: LoadBalancer
IP: 10.0.91.124
LoadBalancer Ingress: 40.127.224.177
Port: http 80/TCP
TargetPort: http/TCP
NodePort: http 30756/TCP
Endpoints: 10.244.0.16:80
Port: https 443/TCP
TargetPort: https/TCP
NodePort: https 31719/TCP
Endpoints: 10.244.0.16:443
Session Affinity: None
External Traffic Policy: Local
HealthCheck NodePort: 32003
Events: <none>仅供参考:这是我的部署:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: uwgazon-web
spec:
replicas: 1
paused: true
template:
metadata:
labels:
app: uwgazon-web
spec:
containers:
- name: uwgazon-web
image: uwgazon/web
ports:
- containerPort: 80
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
env:
- name: UWGAZON_RECAPTCHA__SITEKEY
valueFrom:
secretKeyRef:
name: uwgazon-recaptcha
key: client-id
- name: UWGAZON_RECAPTCHA__SERVERKEY
valueFrom:
secretKeyRef:
name: uwgazon-recaptcha
key: client-secret
- name: UWGAZON_MAILGUN__BASEADDRESS
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: base-address
- name: UWGAZON_APPLICATIONINSIGHTS__INSTRUMENTATIONKEY
valueFrom:
secretKeyRef:
name: uwgazon-appinsights
key: instrumentationkey
- name: APPINSIGHTS_INSTRUMENTATIONKEY
valueFrom:
secretKeyRef:
name: uwgazon-appinsights
key: instrumentationkey
- name: UWGAZON_MAILGUN__APIKEY
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: api-key
- name: UWGAZON_MAILGUN__TOADDRESS
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: to-address
- name: UWGAZON_BLOG__NAME
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: sitename
- name: UWGAZON_BLOG__OWNER
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: owner
- name: UWGAZON_BLOG__DESCRIPTION
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: description和我的入口配置
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: uwgazon-web-ingress
annotations:
cert-manager.io/issuer: "uwgazon-tls-issuer"
spec:
tls:
- hosts:
- uwgazon.sdsoftware.be
secretName: uwgazon-sdsoftware-be-tls
rules:
- host: uwgazon.sdsoftware.be
http:
paths:
- backend:
serviceName: uwgazon-web
servicePort: 80回答 1
Stack Overflow用户
回答已采纳
发布于 2020-01-12 16:21:37
我找到了这个问题的解决方案,专门针对Asp.net核心。
首先,您必须将代理加入白名单,否则转发的headers中间件将无法工作。
我发现,你实际上可以将整个网络列入白名单。这样,您就可以信任集群中的所有内容。Kubernetes使用10.0.0.0/8网络(子网掩码0.255.255.255)。信任它,可以使用以下代码来完成:
services.Configure<ForwardedHeadersOptions>(forwardedHeadersOptions =>
{
forwardedHeadersOptions.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
forwardedHeadersOptions.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("10.0.0.0"), 8));
});页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/59694851
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号