Tcpserver va netcat bilan Kubernetes podasi yoki konteynerida tunnelni qanday ochish mumkin

Eslatma. tarjima.: LayerCI yaratuvchisidan olingan ushbu amaliy eslatma Kubernetes (va nafaqat) uchun maslahatlar va fokuslar deb ataladigan ajoyib tasvirdir. Bu erda taklif qilingan yechim faqat bir nechta va, ehtimol, eng aniq emas (ba'zi hollarda, sharhlarda aytib o'tilgan K8 uchun "mahalliy" mos kelishi mumkin. kubectl port-forward). Biroq, bu sizga hech bo'lmaganda muammoga klassik yordamchi dasturlardan foydalanish va ularni yanada uyg'unlashtirish nuqtai nazaridan qarashga imkon beradi - shu bilan birga oddiy, moslashuvchan va kuchli (ilhom olish uchun oxirida "boshqa g'oyalar" ga qarang).

Oddiy vaziyatni tasavvur qiling: siz mahalliy mashinangizdagi portni sehrli ravishda pod/konteynerga (yoki aksincha) yo'naltirishini xohlaysiz.

Mumkin foydalanish holatlari

1. HTTP oxirgi nuqtasi nimani qaytarishini tekshiring /healthz ishlab chiqarish klasteridagi pod.
2. TCP disk raskadrovkasini mahalliy mashinadagi podga ulang.
3. Autentifikatsiya bilan bezovta qilmasdan mahalliy ma'lumotlar bazasi vositalaridan ishlab chiqarish ma'lumotlar bazasiga kiring (odatda localhost ildiz huquqlariga ega).
4. Stinglash klasteridagi ma'lumotlar uchun konteyner yaratmasdan bir martalik migratsiya skriptini ishga tushiring.
5. VNC seansini virtual ish stolida ishlaydigan podga ulang (XVFBga qarang).

Kerakli vositalar haqida bir necha so'z

Tcpserver — Koʻpgina Linux paketlar omborlarida mavjud boʻlgan ochiq manba yordam dasturi. Bu sizga mahalliy portni ochish va stdin/stdout orqali qabul qilingan trafikni har qanday belgilangan buyruqdan unga yo'naltirish imkonini beradi:

colin@colin-work:~$ tcpserver 127.0.0.1 8080 echo -e 'HTTP/1.0 200 OKrnContent-Length: 19rnrn<body>hello!</body>'&
[1] 17377
colin@colin-work:~$ curl localhost:8080
<body>hello!</body>colin@colin-work:~$

(asciinema.org)

Netcat buning aksini qiladi. Bu sizga ochiq portga ulanish va undan olingan I/U ni stdin/stdout-ga o'tkazish imkonini beradi:

colin@colin-work:~$ nc -C httpstat.us 80
GET /200 HTTP/1.0
Host: httpstat.us
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.1
Access-Control-Allow-Origin: *
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Set-Cookie: ARRAffinity=93fdbab9d364704de8ef77182b4d13811344b7dd1ec45d3a9682bbd6fa154ead;Path=/;HttpOnly;Domain=httpstat.us
Date: Fri, 01 Nov 2019 17:53:04 GMT
Connection: close
Content-Length: 0

^C
colin@colin-work:~$

(asciinema.org)

Yuqoridagi misolda netcat sahifani HTTP orqali so'raydi. Bayroq -C satr oxiriga CRLF qo'shishiga olib keladi.

Kubectl bilan ulanish: xostni tinglang va podga ulaning

Agar yuqoridagi vositalarni kubectl bilan birlashtirsak, biz quyidagi buyruqni olamiz:

tcpserver 127.0.0.1 8000 kubectl exec -i web-pod nc 127.0.0.1 8080

Shunga o'xshab, pod ichidagi 80-portga kirish uchun buni qilish kifoya curl "127.0.0.1:80":

colin@colin-work:~$ sanic kubectl exec -it web-54dfb667b6-28n85 bash
root@web-54dfb667b6-28n85:/web# apt-get -y install netcat-openbsd
Reading package lists... Done
Building dependency tree
Reading state information... Done
netcat-openbsd is already the newest version (1.195-2).
0 upgraded, 0 newly installed, 0 to remove and 10 not upgraded.
root@web-54dfb667b6-28n85:/web# exit
colin@colin-work:~$ tcpserver 127.0.0.1 8000 sanic kubectl exec -i web-54dfb667b6-28n85 nc 127.0.0.1 8080&
[1] 3232
colin@colin-work:~$ curl localhost:8000/healthz
{"status":"ok"}colin@colin-work:~$ exit

(asciinema.org)

Utilitlarning o'zaro ta'siri diagrammasi

Qarama-qarshi yo'nalishda: podda tinglang va xostga ulaning

nc 127.0.0.1 8000 | kubectl exec -i web-pod tcpserver 127.0.0.1 8080 cat

Ushbu buyruq podkastga mahalliy kompyuterdagi 8000 portiga kirish imkonini beradi.

Bash skripti

Men Bash uchun maxsus skript yozdim, bu sizga Kubernetes ishlab chiqarish klasterini boshqarish imkonini beradi LayerCIyuqorida tavsiflangan usul yordamida:

kubetunnel() {
    POD="$1"
    DESTPORT="$2"
    if [ -z "$POD" -o -z "$DESTPORT" ]; then
        echo "Usage: kubetunnel [pod name] [destination port]"
        return 1
    fi
    pkill -f 'tcpserver 127.0.0.1 6666'
    tcpserver 127.0.0.1 6666 kubectl exec -i "$POD" nc 127.0.0.1 "$DESTPORT"&
    echo "Connect to 127.0.0.1:6666 to access $POD:$DESTPORT"
}

Agar siz ushbu funktsiyaga qo'shsangiz ~/.bashrc, buyrug'i bilan podada tunnelni osongina ochishingiz mumkin kubetunnel web-pod 8080 va qiling curl localhost:6666.

• Tunnel uchun Docker asosiy qatorni quyidagi bilan almashtirishingiz mumkin:

  tcpserver 127.0.0.1 6666 docker exec -i "$CONTAINER" nc 127.0.0.1 "$DESTPORT"

• tunnel uchun K3 - uni quyidagicha o'zgartiring:

  tcpserver 127.0.0.1 6666 k3s kubectl exec …

• va hokazo.

Boshqa g'oyalar

• Buyruqlar yordamida UDP trafigini qayta yo'naltirishingiz mumkin netcat -l -u -c o'rniga tcpserver и netcat -u o'rniga netcat mos ravishda.
• Quvurlarni ko'rish vositasi orqali kirish/chiqishni ko'rish:

  nc 127.0.0.1 8000 | pv --progress | kubectl exec -i web-pod tcpserver 127.0.0.1 8080 cat

• Siz ikkala tomondan trafikni siqishingiz va ochishingiz mumkin gzip.
• SSH orqali tegishli faylga ega boshqa kompyuterga ulaning kubeconfig:

  tcpserver ssh workcomputer "kubectl exec -i my-pod nc 127.0.0.1 80"

• Foydalanishda siz ikkita podani turli klasterlarda ulashingiz mumkin mkfifo va ikkita alohida buyruqni bajaring kubectl.

Vozmojnosti bezgranichny!

Tarjimondan PS

Shuningdek, bizning blogimizda o'qing:

• «Kubernetes-da ishlaydigan ilovalarni ishlab chiquvchilar uchun asboblar";
• «Kubernetes maslahatlari va fokuslari: mahalliy rivojlanish va Telepresence haqida";
• «Kubernetes podslarida nosozliklarni tuzatish uchun kubectl-debug plagini";
• «Kubernetes bilan ishlashda foydali yordamchi dasturlar".

Manba: www.habr.com