我正在使用 Helm + Kubernetes 并尝试设置一个本地集群来拥有一个 PostgreSQL 数据库。然而,提供的 DNS 似乎无法从同一命名空间中的任何 pod 进行连接。
我将其用于 PostgreSQL:https://artifacthub.io/packages/helm/bitnami/postgresql
一些简短的发现:
这些是我迄今为止的发现以及我如何在下面进行设置。
helm upgrade -i postgresql bitnami/postgresql \
--create-namespace \
--namespace postgres \
--values ./postgresql.yaml
我的postgresql.yaml(值文件):
image:
registry: docker.io
repository: bitnami/postgresql
tag: 16.2.0-debian-12-r15
digest: ""
pullPolicy: IfNotPresent
pullSecrets: []
debug: false
global:
postgresql:
service:
ports:
postgresql: "5432"
nameOverride: "postgresql"
fullnameOverride: "postgresql"
service:
type: ClusterIP
ports:
postgresql: 5432
auth:
enablePostgresUser: true
postgresPassword: "postgres"
username: "root"
password: "root"
database: "test_db"
replicationUsername: repl
replicationPassword: "repl"
secretKeys:
adminPasswordKey: postgres-password
userPasswordKey: password
usePasswordFiles: false
architecture: standalone
containerPorts:
postgresql: 5432
audit:
logHostname: false
logConnections: false
logDisconnections: false
pgAuditLog: ""
pgAuditLogCatalog: "off"
clientMinMessages: error
logLinePrefix: ""
logTimezone: ""
postgresqlDataDir: /bitnami/postgresql/data
resources:
limits:
cpu: 1
memory: 1000Mi
requests:
cpu: 500m
memory: 500Mi
metrics:
enabled:
然后我安装了dnsutils来测试它:
kubectl apply -f dns-test.yaml
使用 dns-test.yaml:
apiVersion: v1
kind: Pod
metadata:
name: dnsutils
namespace: postgres
spec:
containers:
- name: dnsutils
image: registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3
command:
- sleep
- "infinity"
imagePullPolicy: IfNotPresent
restartPolicy: Always
然后我尝试在 dnsutils pod 内(在 postgres 命名空间内)使用 dig 命令:
kubectl exec -n postgres -i -t dnsutils -- dig postgresql.postgres.svc.cluster.local
结果:
; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> postgresql.postgres.svc.cluster.local
;; global options: +cmd
;; connection timed out; no servers could be reached
command terminated with exit code 9
我检查了 dnsutils resolve.conf 与 postgresql 进行比较:
kubectl exec -ti dnsutils -n postgres -- cat /etc/resolv.conf
结果:
nameserver 10.96.0.10
search postgres.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
postgresql pod 中的 Resolve.conf:
nameserver 10.96.0.10
search postgres.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
然后我检查了 postgresql pod 的端点:
NAME ENDPOINTS AGE
postgresql 10.1.0.120:5432 107m
看来端口暴露了。
检查网络策略:
kubectl describe networkpolicy postgresql --namespace=postgres
结果:
Name: postgresql
Namespace: postgres
Created on: 2024-05-07 10:32:33 +0200 CEST
Labels: app.kubernetes.io/component=primary
app.kubernetes.io/instance=postgresql
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=postgresql
app.kubernetes.io/version=16.2.0
helm.sh/chart=postgresql-15.2.5
Annotations: meta.helm.sh/release-name: postgresql
meta.helm.sh/release-namespace: postgres
Spec:
PodSelector: app.kubernetes.io/component=primary,app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql
Allowing ingress traffic:
To Port: 5432/TCP
From: <any> (traffic not restricted by source)
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To: <any> (traffic not restricted by destination)
Policy Types: Ingress, Egress
检查 Pod 状态:
kubectl get pods -n postgres --selector=app.kubernetes.io/component=primary,app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql
结果:
NAME READY STATUS RESTARTS AGE
postgresql-0 1/1 Running 0 134m
检查 Pod 日志:
kubectl logs postgresql-0 -n postgres
结果:
postgresql 08:32:33.99 INFO ==>
postgresql 08:32:33.99 INFO ==> Welcome to the Bitnami postgresql container
postgresql 08:32:33.99 INFO ==> Subscribe to project updates by watching https://github.com/bitnami/containers
postgresql 08:32:33.99 INFO ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
postgresql 08:32:33.99 INFO ==> Upgrade to Tanzu Application Catalog for production environments to access custom-configured and pre-packaged software components. Gain enhanced features, including Software Bill of Materials (SBOM), CVE scan result reports, and VEX documents. To learn more, visit https://bitnami.com/enterprise
postgresql 08:32:33.99 INFO ==>
postgresql 08:32:34.09 INFO ==> ** Starting PostgreSQL setup **
postgresql 08:32:34.19 INFO ==> Validating settings in POSTGRESQL_* env vars..
postgresql 08:32:34.19 INFO ==> Loading custom pre-init scripts...
postgresql 08:32:34.28 INFO ==> Initializing PostgreSQL database...
postgresql 08:32:34.29 INFO ==> pg_hba.conf file not detected. Generating it...
postgresql 08:32:34.40 INFO ==> Generating local authentication configuration
postgresql 08:32:34.49 INFO ==> Deploying PostgreSQL with persisted data...
postgresql 08:32:34.87 INFO ==> Configuring replication parameters
postgresql 08:32:35.29 INFO ==> Configuring fsync
postgresql 08:32:35.37 INFO ==> Configuring synchronous_replication
postgresql 08:32:35.97 INFO ==> Loading custom scripts...
postgresql 08:32:36.07 INFO ==> Enabling remote connections
postgresql 08:32:36.17 INFO ==> ** PostgreSQL setup finished! **
postgresql 08:32:36.37 INFO ==> ** Starting PostgreSQL **
2024-05-07 08:32:36.601 GMT [1] LOG: pgaudit extension initialized
2024-05-07 08:32:36.800 GMT [1] LOG: starting PostgreSQL 16.2 on aarch64-unknown-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
2024-05-07 08:32:36.801 GMT [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
2024-05-07 08:32:36.801 GMT [1] LOG: listening on IPv6 address "::", port 5432
2024-05-07 08:32:36.806 GMT [1] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
2024-05-07 08:32:36.814 GMT [93] LOG: database system was shut down at 2024-05-07 08:29:19 GMT
2024-05-07 08:32:36.900 GMT [1] LOG: database system is ready to accept connections
2024-05-07 08:37:36.869 GMT [91] LOG: checkpoint starting: time
2024-05-07 08:37:36.894 GMT [91] LOG: checkpoint complete: wrote 3 buffers (0.0%); 0 WAL file(s) added, 0 removed, 0 recycled; write=0.010 s, sync=0.001 s, total=0.027 s; sync files=2, longest=0.001 s, average=0.001 s; distance=0 kB, estimate=0 kB; lsn=0/1915B40, redo lsn=0/1915B08
所以两个问题:
根据此官方doc
例如可以创建Kubernetes中的集群IP类型的服务。但是,它只能由同一命名空间内的其他 Pod 访问。该服务并不直接映射到外部IP,而是有一个服务IP地址。同一命名空间内的 Pod 可以使用服务名称 postgresql.postgres.svc.cluster.local 访问服务,并且这会通过 Kube dns 服务自动解析为服务集群 IP。
因为它是集群网络内的私有 IP 地址(未向外部公开),所以您无法使用 ClusterIP 地址从进度命名空间外部连接到此地址。
postgresql.postgres.svc.cluster.local的 DNS 解析对于 postgres 命名空间中的 pod 来说按预期工作,即它们可以使用此名称连接到服务;但是,集群 ip 本身不适用于外部连接。
要在命名空间内进行连接,请使用服务名称,对于外部访问,请考虑使用节点端口或具有适当安全配置的专用入口控制器。