问题描述
我们在Google Compute Engine实例上安装了自托管的Gitlab Enterprise.该实例受防火墙保护,因此只有我们的员工才能访问服务器.
We have a self-hosted Gitlab Enterprise installation on a Google Compute Engine instance. This instance is protected with a firewall so only our employees can access the server.
当我们部署Kubernetes集群(使用Gitlab CI)时,运行程序无法访问GitLab,因此将无法启动CI作业.
When we deploy a Kubernetes cluster (using Gitlab CI), the runners can not access GitLab and thus will not start the CI jobs.
我可以将Google Kubernetes实例的外部IP地址手动添加到我们的GitLab防火墙(GCP防火墙允许所选IP范围的所有协议和端口),然后它将可以使用.但是因为我们有数量不断变化的Kubernetes实例(以及抢占实例),所以我们必须每天手动进行此操作.
I can manually add the the external IP-adress of the Google Kubernetes instance to our GitLab firewall (GCP Firewall allowing all protocols and ports for the selected IP ranges) and then it will work. But because we have a changing number of Kubernetes Instances (and also preemptieve instances) we have to do this manually everyday.
那不是最佳的情况.我已经尝试添加内部IP范围(10.132.0.0/20、10.0.0.0/8、10.56.0.0/14),但这不是解决方案.没有指定确切的实例IP,跑步者仍然无法访问gitlab服务器.
That is not an optimal situation. I already tried adding internal IP ranges (10.132.0.0/20, 10.0.0.0/8, 10.56.0.0/14) but that was not the solution. The runners still can't reach the gitlab server, without specifying the exact instance IP.
我想念什么?
推荐答案
GKE节点在GCE平台中显示为VM实例.它们由主节点管理,如果认为它们不健康,则可以将其删除(由kube-controller删除).删除后,将重新创建它们.因此,IP地址是短暂的.使用每个VM实例的外部IP地址将非常具有挑战性,因为IP地址一直在变化.这不是可行的解决方案.
GKE Nodes appear as VM instances in the GCE platform. They are managed by the master node and they can be deleted (by the kube-controller) if they are deemed unhealthy. Once deleted, they are then recreated. For this reason, the IP addresses are ephemeral. It will be quite challenging to use the external IP address of each VM instance since the IP addresses change all the time. This is not a feasible solution.
一种解决方法是充分利用 NAT网关.来自GKE节点的所有出站流量都将被路由到充当NAT网关的特定VM实例.这样,您将只有1个静态IP地址,它是 NAT网关.
One workaround would be to make good use of a NAT Gateway. All outbound traffic from the GKE nodes will be routed to a specific VM instance that would act as a NAT Gateway. You would then have only 1 static IP address which is the external IP address of the NAT Gateway.
然后,您将具有一个可以添加到防火墙规则中的单个静态IP地址.
You would then have one single static IP address that you could add to the firewall rule.
这篇关于Gitlab Runner无法访问Gitlab自托管实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!