aws上暴漏svc出公网

最近在AWS上部署了es集群，由于客户某种特殊的需求，需要把es集群的三个pod节点，暴漏到公网。

客户需求：
从kibana的devtool调试工具，对索引进行数据注入，之前一直写入的是EKS中POD的ClusterIp,效率感人，
于是客户提出需求，从公网外部使用curl命令快速写入到es中，解决效率问题

环境：
[root@ip]# kubectl get svc -n elastic-system | grep 9200 quickstart-es-default ClusterIP None <none> 9200/TCP 27d quickstart-es-http ClusterIP 172.20.247.209 <none> 9200/TCP 27d quickstart-es-internal-http ClusterIP 172.20.246.13 <none> 9200/TCP 27d [root@ip]# kubectl describe svc quickstart-es-http -n elastic-system Name: quickstart-es-http Namespace: elastic-system Labels: common.k8s.elastic.co/type=elasticsearch elasticsearch.k8s.elastic.co/cluster-name=quickstart Annotations: <none> Selector: common.k8s.elastic.co/type=elasticsearch,elasticsearch.k8s.elastic.co/cluster-name=quickstart Type: ClusterIP IP Family Policy: SingleStack IP Families: IPv4 IP: 172.20.247.209 IPs: 172.20.247.209 Port: https 9200/TCP TargetPort: 9200/TCP Endpoints: 10.21.102.107:9200,10.21.38.160:9200,10.21.151.249:9200 Session Affinity: None Internal Traffic Policy: Cluster Events: <none>
从上图看到，我们需要暴漏的就是 quickstart-es-http 这个svc,后面代理了三个pod的ip

1，首先我们创建一个Ingress，使用alb暴漏svc

`[root@ip]# cat quickstart.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: quickstart-es-ingress
namespace: elastic-system
annotations:
alb.ingress.kubernetes.io/success-codes: 200-499
alb.ingress.kubernetes.io/group.name: shared-alb
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
alb.ingress.kubernetes.io/certificate-arn: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
alb.ingress.kubernetes.io/healthcheck-path: /_cluster/health
spec:
ingressClassName: alb
rules:

• host: quickstart.test.com
  http:
  paths:
  • backend:
    service:
    name: quickstart-es-http
    port:
    number: 9200
    path: /
    pathType: Prefix
    `
    以上配置中通过指定了ingress，创建了ALB，并关联了quickstart-es-http svc,同时添加了N多 annotations，下面我们解答下annotations的作用：
    alb.ingress.kubernetes.io/success-codes: 200-499 #配置/_cluster/health后，alb的HC会遇到401的错误代码，强制200-499均为成功
    alb.ingress.kubernetes.io/group.name: shared-alb #在同一个EKS及群里，可共享一个alb，节省资源
    alb.ingress.kubernetes.io/backend-protocol: HTTPS #如果您的后端pod使用https通信，那这里必须强制HTTPS，默认pod使用http
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]' #支持证书加密通信
    alb.ingress.kubernetes.io/certificate-arn: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx #使用证书tls
    alb.ingress.kubernetes.io/healthcheck-path: /_cluster/health # 检查svc后端pod的健康

2，在ROUTE 53中配置域名解析，

创建quickstart.test.com解析-------------开启别名CNAME----------------->选择EKS中的ALB记录