GKE: Pubsub messages between pods with push subscr

2019-02-11 08:44发布

问题:

I am using GKE deployment with multiple pods and I need to send and receive messages between pods. I want to use pubsub push subscribers.

I found for push I need to configure https access for subscribers pods.

In order to receive push messages, you need a publicly accessible HTTPS server to handle POST requests. The server must present a valid SSL certificate signed by a certificate authority and routable by DNS. You also need to validate that you own the domain (or have equivalent access to the endpoint).

Is this really required or is there some workaround. Does it mean I should expose each subscriber pod with Ingress, even for internal communication?

回答1:

If you only need pods to be exposed on a certain port (for pod to pod communication) then you would just need to expose each pod via a service that targets that port (in your case port 443).

For example, by using the following YAML you can create a service which targets a port on a pod(s):

apiVersion: v1
kind: Service
metadata:
  name: my-pod
  labels:
    run: my--pod
spec:
  ports:
  - port: 443
    targetPort: 443
    protocol: TCP
  selector:
    run: my-pod

The above would create a Service which targets TCP port 443 on any Pod with the run: my-pod label. In the file, targetPort is the port the container (within the pod) accepts traffic on, and port is the abstracted Service port, which can be any port other pods use to access the Service).

EDIT:

However, if you need the pods to be able to communicate with the Pub-Sub API,then the ability to communicate externally is required, so yes ingress would be recommended.

In response to your question in the comment "I wonder why Google needs to access Kubernetes with public HTTPS instead on some internal request"- The reason is it isn't an internal request. The Pub-Sub API sits outside of your project/network, so data travels across other networks. For it to be secure, It needs to be encrypted- this is the reason HTTPS is used.