通过访问控制将GKE mongo暴露给Internet

问题描述 投票:0回答:1

我现在正在尝试实施新系统。我的系统将分为2个集群。首先是计算工作。 CI / CD会经常发生很大的变化。然后,以防止它从我的青少年的事故,也节省成本。因为在计算机节点上不需要像100GB那样使用database

现在。我正在使用mongo-replicaset设置我的helm。我的配置工作正常。这是安装过程中的终端日志。

每个节点安装100GB。它们是3个节点。

$ gcloud container clusters create elmo --disk-size=100GB --enable-cloud-logging --enable-cloud-monitoring

我在values.yaml中更改了用户名和密码

mongodbUsername: myuser
mongodbPassword: mypassword

但是,当我跳进吊舱时。它不需要我进行任何身份验证。我可以执行show dbs

$ kubectl exec -it ipman-mongodb-replicaset-0 mongo

MongoDB shell version v4.0.6
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("966e85fd-8857-46ac-a2a4-a8b560e37104") }
MongoDB server version: 4.0.6
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
    http://docs.mongodb.org/
Questions? Try the support group
    http://groups.google.com/group/mongodb-user
2019-03-20T12:15:51.266+0000 I STORAGE  [main] In File::open(), ::open for '//.mongorc.js' failed with Unknown error
Server has startup warnings:
2019-03-20T11:36:03.768+0000 I STORAGE  [initandlisten]
2019-03-20T11:36:03.768+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2019-03-20T11:36:03.768+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2019-03-20T11:36:05.082+0000 I CONTROL  [initandlisten]
2019-03-20T11:36:05.082+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-03-20T11:36:05.082+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2019-03-20T11:36:05.083+0000 I CONTROL  [initandlisten]
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).

The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.

To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---

rs0:PRIMARY> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB

我可以看到运行mongodb-replicaset的2个服务

$ kubectl describe svc ipman-mongodb-replicaset

Name:              ipman-mongodb-replicaset
Namespace:         default
Labels:            app=mongodb-replicaset
                   chart=mongodb-replicaset-3.9.2
                   heritage=Tiller
                   release=ipman
Annotations:       service.alpha.kubernetes.io/tolerate-unready-endpoints: true
Selector:          app=mongodb-replicaset,release=ipman
Type:              ClusterIP
IP:                None
Port:              mongodb  27017/TCP
TargetPort:        27017/TCP
Endpoints:         10.60.1.5:27017,10.60.2.7:27017,10.60.2.8:27017
Session Affinity:  None
Events:            <none>

$ kubectl describe svc ipman-mongodb-replicaset-client

Name:              ipman-mongodb-replicaset-client
Namespace:         default
Labels:            app=mongodb-replicaset
                   chart=mongodb-replicaset-3.9.2
                   heritage=Tiller
                   release=ipman
Annotations:       <none>
Selector:          app=mongodb-replicaset,release=ipman
Type:              ClusterIP
IP:                None
Port:              mongodb  27017/TCP
TargetPort:        27017/TCP
Endpoints:         10.60.1.5:27017,10.60.2.7:27017,10.60.2.8:27017
Session Affinity:  None
Events:            <none>

我见过herehere。我有3个IP地址。我应该使用哪一个?

我认为LoadBalancer可能不符合我的需要,因为它通常与backend服务一起用于平衡节点之间的负载。对于我的情况。是做master写作和replica做阅读。

$ gcloud compute instances list
NAME                                 ZONE               MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP     STATUS
gke-elmo-default-pool-c5dc6e86-1j8v  asia-southeast1-a  n1-standard-1               10.148.0.59  35.197.148.201  RUNNING
gke-elmo-default-pool-c5dc6e86-5hs4  asia-southeast1-a  n1-standard-1               10.148.0.57  35.198.217.71   RUNNING
gke-elmo-default-pool-c5dc6e86-wh0l  asia-southeast1-a  n1-standard-1               10.148.0.58  35.197.128.107  RUNNING

题:

  1. 为什么我的username:password在认证时不会考虑到?
  2. 我怎样才能公开我的mongo shell并让客户端来自互联网使用我的数据库服务器
mongo -u <user> -p <pass> --host kluster.me.com --port 27017

我查看过helm chart文件。我担心我以错误的方式使用k8s。所以我决定在这里问。

mongodb authentication service kubernetes access-control
1个回答
1
投票

我无法回答有关密码问题的问题,但为数据库使用单独的群集可能不是最佳选择。通过创建单独的群集,您将被迫将敏感数据库暴露给全世界。这不太理想。

我建议您在现有群集上部署mongo。这样,只需使用服务名称作为主机名,即可将计算工作负载连接到mongo。

如果您的mongo需要更大的驱动器,只需使用持久性磁盘并在使用helm创建mongo安装时指定大小。

例如:

helm install mongo-replicaset --name whatever --set persistentVolume.size=100Gi

在你的values.yaml文件中,你有一个名为persistence的部分,它应该被称为persistentVolume

我建议您的values.yaml仅包含您想要更改的值而不是所有内容。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.