Linux：k8s集群访问集群外部服务（Endpoints）

k8s集群访问集群外部服务（Endpoints）

像数据库这个的服务我们一般是不会用k8s直接来跑的，最好是部署在集群外部的服务器，那么集群内部的pod怎么去访问外部的服务呢？可以使用Endpoints将外部的服务映射到集群内部，然后集群内部就能进行解析，直接访问。实际上，不映射到集群内部，也是可以访问的，下面以mysql服务为例进行说明。

环境准备
（搭建一个K8S集群，略）
master 192.168.146.10
node1 192.168.146.11
node2 192.168.146.12
node3 192.168.146.13
在任意一台机器安装数据库

[root@node3 ~]# yum -y install mariadb-server
#授权账户
[root@node3 ~]# systemctl start mariadb
[root@node3 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.65-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> delete from mysql.user where user="";
Query OK, 2 rows affected (0.00 sec)

MariaDB [(none)]> grant all on *.* to "pod"@"192.168.146.%" identified by "123";
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> select user,host,password from mysql.user;
+------+---------------+-------------------------------------------+
| user | host          | password                                  |
+------+---------------+-------------------------------------------+
| root | localhost     |                                           |
| root | node3         |                                           |
| root | 127.0.0.1     |                                           |
| root | ::1           |                                           |
| pod  | 192.168.146.% | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
+------+---------------+-------------------------------------------+
5 rows in set (0.00 sec)

创建一个pod
（哪个节点都可以，只要你配置了使用kubectl命令）

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: yum
spec:
  selector:
    matchLabels:
      app: yum
  replicas: 1
  template:
    metadata:
      labels:
         app: yum
    spec:
      containers:
      - name: yum
        image: registry.cn-shenzhen.aliyuncs.com/jay23/centos_yum:v1.0
        command: ["sh","-c","sleep 10000"]

进入pod，尝试连接数据库

[root@master mysql]# kubectl apply -f deploy2.yaml
deployment.apps/yum created
[root@master mysql]# kubectl get po
NAME                          READY   STATUS        RESTARTS   AGE
counter                       1/1     Running       0          5h4m
dummylogs-6d66db57f8-bp2t5    1/1     Running       1          4h44m
dummylogs-6d66db57f8-k4z76    1/1     Running       1          4h44m
dummylogs-6d66db57f8-m5b2k    1/1     Running       1          4h44m
dummylogs2-77f4d88788-52cmn   1/1     Running       1          4h44m
dummylogs2-77f4d88788-t996h   1/1     Running       1          4h44m
dummylogs2-77f4d88788-vk4h6   1/1     Running       1          4h44m
yum-d9fc97f8-w6mp8            1/1     Running       0          4s
[root@master mysql]# kubectl exec -it yum-d9fc97f8-w6mp8 -- bash
#安装一个数据库客户端
[root@yum-d9fc97f8-w6mp8 /]# yum -y install mariadb
#测试连接
[root@yum-d9fc97f8-w6mp8 /]# mysql -upod -h192.168.146.13 -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.65-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

通过以上的实验可以看出，只要宿主机可以通讯，那么pod内也是可以直接通过宿主机的IP访问集群之外的服务。因为虽然是pod发出的请求，实际上经过转发，出去的时候是以宿主机的IP进行访问的，所以我们授权的时候，保证运行pod的宿主机能登录数据库就行了，并不是对pod的IP进行授权。

那么Endpoints的作用是什么呢？
下面我们来创建Endpoints：

---
kind: Service
apiVersion: v1
metadata:
  name: testep          #通过name绑定到下面的Endpoints，否则就用自己的Endpoints
spec:
  ports:
  - port: 3306
---
kind: Endpoints
apiVersion: v1
metadata:
  name: testep      #与上面的name要对应
subsets:
- addresses:
  - ip: 192.168.146.13
  ports:
  - port: 3306

查看Endpoints和Service的关系

[root@master mysql]# vim deploy.yaml
[root@master mysql]# kubectl apply -f deploy.yaml
service/testep unchanged
endpoints/testep configured
[root@master mysql]# kubectl describe svc testep
Name:              testep
Namespace:         default
Labels:            <none>
Annotations:       Selector:  <none>
Type:              ClusterIP
IP:                10.111.21.40
Port:              <unset>  3306/TCP
TargetPort:        3306/TCP
Endpoints:         192.168.146.13:3306   #如果不指定Endpoints，这里就是service的ClusterIP
Session Affinity:  None
Events:            <none>

此时，再进入刚刚的pod进行测试

[root@master mysql]# kubectl exec -it yum-d9fc97f8-w6mp8 -- bash
[root@yum-d9fc97f8-w6mp8 /]# mysql -upod -htestep -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.65-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

发现可以使用Service的名称访问到数据库，大体的流程是这样的：
pod里面是可以解析svc的名字的，又因为svc的Endpoints链接的是其他机器的数据库，所以可以直接通过svc访问到集群之外的数据库。这就是Endpoints的作用。