Terway的权限是通过RAM角色AliyunCSManagedNetworkRole进行配置
在RAM控制台中为这个角色添加以下EIP相关权限

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:AllocateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:ReleaseEipAddress"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

CNI:
kubectl edit cm eni-config -n kube-system
在eni_conf中增加以下内容
"enable_eip_pool": "true"
"allow_eip_rob": "true"
执行以下命令重建Terway实例
kubectl delete pod -n kube-system -l app=terway-eniip

使用

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-basic
  namespace: sre
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      annotations:
        k8s.aliyun.com/pod-with-eip: "true" # 为Nginx容器自动分配公网EIP地址。
        #k8s.aliyun.com/pod-eip-instanceid: "eip-1234567890"
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx

当Pod变成Running状态之后,可以观察部署完后的Pod中annotations的k8s.aliyun.com/allocated-eipAddress值来查看到它分配到的关联EIP地址,通过这个EIP即可访问到Pod。

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

Captcha Code