Requirement:
We have quite a few K8S Pods running for our Web and ETL services. We need to let the Pods to acccess files saved in OCI Object storage . The OCI object storage API endpoints are internet facing HTTP REST API. However the K8S cluster is running behind firewall. The worker nodes are access internet fine via proxy. The Pods have some difficultiesThe reason pods have difficulties to access internet is due to Pods have it's own DNS server. The nameserver of /etc/resolv.conf in Pods are based on K8S cluster , not worker node resolv.conf
Pods can't use worker node resolv.conf as it may cause conflicts for K8S internal DNS service which suppose to be in separated network.
But the good thing is it only due to the DNS service can't resolve IP of proxy server, IP addresses of proxy are pingable, we can use IP address for our Pods proxy settings .
Solution:
- $kubectl get pod
- $kubectl exec -it <pod name> /bin/bash
- ie Proxy server IP address is 123.123.123.123
- <pod name>$ export http_proxy=http://123.123.123.123:80
- <pod name>$ export https_proxy=http://123.123.123.123:80
- Then we can use OCI Cli or andy SDK to access OCI services on internet in the Pods
- Please remember the changes above are ephemeral. It will be lost after pods restart.
- We can add these commands in the dockerfile , or in the scripts to make sure internet are accessiable in the Pods
No comments:
Post a Comment