如果这对您有帮助:对于我工作过的任何项目(或从我认识的人那里听到的消息),容器/服务之间的专用网络都绰绰有余.我的回答完全是我所说的.将这些端点保留在群集中将使它们无法从外部进行设计.最后一件事,为许多内部服务管理许多SSL证书是一个痛苦,如果没有必要,应该避免这种痛苦.Let's say I'm using an GCE ingress to handle traffic from outside the cluster and terminate TLS (https://example.com/api/items), from here the request gets routed to one of two services that are only available inside the cluster. So far so good.What if I have to call service B from service A, should I go all the way and use the cluster's external IP/domain and use HTTPS (https://example.com/api/user/1) to call the service or could I use the internal IP of the service and use HTTP (http://serviceb/api/user/1)? Do I have to encrypt the data or is it "safe" as long as it isn't leaving the private k8s network?What if I want to have "internal" endpoints that should only be accessible from within the cluster - when I'm always using the external https-url those endpoints would be reachable for everyone. Calling the service directly, I could just do a http://serviceb/internal/info/abc. 解决方案 If you need to use the features that you API Gateway is offering (authentication, cache, high availability, load balancing) then YES, otherwise DON'T. The External facing API should contain only endpoints that are used by external clients (from outside the cluster)."safe" is a very relative word and I believe that there are no 100% safe networks. You should put in the balance the probability of "somebody" or "something" sniffing data from the network and the impact that it has on your business if that happens.If this helps you: for any project that I've worked for (or I heard from somebody I know), the private network between containers/services was more than sufficient.Exactly what I was saying on top of the answer. Keeping those endpoints inside the cluster makes them inaccessible by design from outside.One last thing, managing a lot of SSL certificates for a lot of internal services is a pain that one should avoid if not necessary. 这篇关于Kubernetes:我应该使用HTTPS在服务之间进行通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!