kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zh] synchronize translate access-cluster.md

pull/31150/head
帅进超 2021-12-30 19:30:02 +08:00
parent ed16058154
commit 23aaa92e74
1 changed files with 4 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

208
content/zh/docs/tasks/access-application-cluster/access-cluster.md
View File

@ -355,214 +355,14 @@ In each case, the credentials of the pod are used to communicate securely with t
<!--
## Accessing services running on the cluster
The previous section was about connecting the Kubernetes API server. This section is about
connecting to other services running on Kubernetes cluster. In Kubernetes, the
[nodes](/docs/admin/node), [pods](/docs/user-guide/pods) and [services](/docs/user-guide/services) all have
their own IPs. In many cases, the node IPs, pod IPs, and some service IPs on a cluster will not be
routable, so they will not be reachable from a machine outside the cluster,
such as your desktop machine.
The previous section describes how to connect to the Kubernetes API server. For information about connecting to other services running on a Kubernetes cluster, see [Access Cluster Services.](/docs/tasks/access-application-cluster/access-cluster/)
-->
## 访问集群中正在运行的服务 {#accessing-services-running-on-the-cluster}
上一节介绍了如何连接 Kubernetes API 服务。本节介绍如何连接到 Kubernetes
集群上运行的其他服务。
在 Kubernetes 中,[节点](/zh/docs/concepts/architecture/nodes/)、
[pods](/zh/docs/concepts/workloads/pods/) 和
[服务](/zh/docs/concepts/services-networking/service/) 都有自己的 IP。
在许多情况下,集群上的节点 IP、Pod IP 和某些服务 IP 将无法路由,
因此无法从集群外部的计算机(例如桌面计算机)访问它们。
## 访问集群上运行的服务 {#accessing-services-running-on-the-cluster}
<!--
### Ways to connect
上一节介绍了如何连接到 Kubernetes API 服务器。
有关连接到 Kubernetes 集群上运行的其他服务的信息,请参阅[访问集群服务](/zh/docs/tasks/administer-cluster/access-cluster-services/)。
You have several options for connecting to nodes, pods and services from outside the cluster:
- Access services through public IPs.
- Use a service with type `NodePort` or `LoadBalancer` to make the service reachable outside
the cluster. See the [services](/docs/user-guide/services) and
[kubectl expose](/docs/reference/generated/kubectl/kubectl-commands/#expose) documentation.
- Depending on your cluster environment, this may only expose the service to your corporate network,
or it may expose it to the internet. Think about whether the service being exposed is secure.
Does it do its own authentication?
- Place pods behind services. To access one specific pod from a set of replicas, such as for debugging,
place a unique label on the pod and create a new service which selects this label.
- In most cases, it should not be necessary for application developer to directly access
nodes via their nodeIPs.
-->
### 连接的方法 {#ways-to-connect}
有多种方式可以从集群外部连接节点、Pod 和服务:
- 通过公共 IP 访问服务。
- 类型为 `NodePort``LoadBalancer` 的服务,集群外部可以访问。
请参阅 [服务](/zh/docs/concepts/services-networking/service/) 和
[kubectl expose](/docs/reference/generated/kubectl/kubectl-commands/#expose) 文档。
- 取决于你的集群环境,该服务可能仅暴露给你的公司网络,或者也可能暴露给
整个互联网。
请考虑公开该服务是否安全。它是否进行自己的身份验证?
- 在服务后端放置 Pod。要从一组副本中访问一个特定的 Pod例如进行调试
请在 Pod 上设置一个唯一的标签,然后创建一个选择此标签的新服务。
- 在大多数情况下,应用程序开发人员不应该通过其 nodeIP 直接访问节点。
<!--
- Access services, nodes, or pods using the Proxy Verb.
- Does apiserver authentication and authorization prior to accessing the remote service.
Use this if the services are not secure enough to expose to the internet, or to gain
access to ports on the node IP, or for debugging.
- Proxies may cause problems for some web applications.
- Only works for HTTP/HTTPS.
- Described [here](#manually-constructing-apiserver-proxy-urls).
-->
- 使用 proxy 动词访问服务、节点或者 Pod。
- 在访问远程服务之前进行 apiserver 身份验证和授权。
如果服务不能够安全地暴露到互联网,或者服务不能获得节点 IP 端口的
访问权限,或者是为了调试,那么请使用此选项。
- 代理可能会给一些 web 应用带来问题。
- 只适用于 HTTP/HTTPS。
- 更多详细信息在[这里](#manually-constructing-apiserver-proxy-urls)。
<!--
- Access from a node or pod in the cluster.
- Run a pod, and then connect to a shell in it using [kubectl exec](/docs/reference/generated/kubectl/kubectl-commands/#exec).
Connect to other nodes, pods, and services from that shell.
- Some clusters may allow you to ssh to a node in the cluster. From there you may be able to
access cluster services. This is a non-standard method, and will work on some clusters but
not others. Browsers and other tools may or may not be installed. Cluster DNS may not work.
-->
- 从集群中的节点或者 Pod 中访问。
- 运行一个 Pod然后使用 [kubectl exec](/docs/reference/generated/kubectl/kubectl-commands/#exec)
来连接 Pod 里的 Shell。
然后从 Shell 中连接其它的节点、Pod 和服务。
- 有些集群可能允许你通过 SSH 连接到节点,从那你可能可以访问集群的服务。
这是一个非正式的方式,可能可以运行在个别的集群上。
浏览器和其它一些工具可能没有被安装。集群的 DNS 可能无法使用。
<!--
### Discovering builtin services
Typically, there are several services which are started on a cluster by kube-system. Get a list of these
with the `kubectl cluster-info` command:
-->
### 发现内建服务
通常来说,集群中会有 kube-system 创建的一些运行的服务。
通过 `kubectl cluster-info` 命令获得这些服务列表:
```shell
kubectl cluster-info
```
```
Kubernetes master is running at https://104.197.5.247
elasticsearch-logging is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy
kibana-logging is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/kibana-logging/proxy
kube-dns is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/kube-dns/proxy
grafana is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
heapster is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
```
<!--
This shows the proxy-verb URL for accessing each service.
For example, this cluster has cluster-level logging enabled (using Elasticsearch), which can be reached
at `https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/` if suitable credentials are passed. Logging can also be reached through a kubectl proxy, for example at:
`http://localhost:8080/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`.
(See [Access Clusters Using the Kubernetes API](/docs/tasks/administer-cluster/access-cluster-api/) for how to pass credentials or use kubectl proxy.)
-->
这展示了访问每个服务的 proxy-verb URL。
例如,如果集群启动了集群级别的日志(使用 Elasticsearch并且传递合适的凭证
那么可以通过
`https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`
进行访问。日志也能通过 kubectl 代理获取,例如:
`http://localhost:8080/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`
(参阅[使用 Kubernetes API 访问集群](/zh/docs/tasks/administer-cluster/access-cluster-api/)
了解如何传递凭据,或者使用 kubectl proxy
<!--
#### Manually constructing apiserver proxy URLs
As mentioned above, you use the `kubectl cluster-info` command to retrieve the service's proxy URL. To create proxy URLs that include service endpoints, suffixes, and parameters, you append to the service's proxy URL:
`http://`*`kubernetes_master_address`*`/api/v1/namespaces/`*`namespace_name`*`/services/`*`service_name[:port_name]`*`/proxy`
If you haven't specified a name for your port, you don't have to specify *port_name* in the URL. You can also use the port number in place of the *port_name* for both named and unnamed ports.
By default, the API server proxies to your service using http. To use https, prefix the service name with `https:`:
`http://`*`kubernetes_master_address`*`/api/v1/namespaces/`*`namespace_name`*`/services/`*`https:service_name:[port_name]`*`/proxy`
The supported formats for the name segment of the URL are:
* `<service_name>` - proxies to the default or unnamed port using http
* `<service_name>:<port_name>` - proxies to the specified port name or port number using http
* `https:<service_name>:` - proxies to the default or unnamed port using https (note the trailing colon)
* `https:<service_name>:<port_name>` - proxies to the specified port name or port number using https
-->
#### 手动构建 apiserver 代理 URL {#manually-constructing-apiserver-proxy-urls}
如上所述,你可以使用 `kubectl cluster-info` 命令来获得服务的代理 URL。
要创建包含服务端点、后缀和参数的代理 URL需添加到服务的代理 URL
`http://`*`kubernetes_master_address`*`/api/v1/namespaces/`*`namespace_name`*`/services/`*`service_name[:port_name]`*`/proxy`
如果尚未为端口指定名称,则不必在 URL 中指定 *port_name*
对于已命名和未命名的端口,也可以使用端口号代替 *port_name*
默认情况下API server 使用 HTTP 代理你的服务。
要使用 HTTPS请在服务名称前加上 `https:`
`http://`*`kubernetes_master_address`*`/api/v1/namespaces/`*`namespace_name`*`/services/`*`https:service_name:[port_name]`*`/proxy`
URL 名称段支持的格式为:
* `<service_name>` - 使用 http 代理到默认或未命名的端口
* `<service_name>:<port_name>` - 使用 http 代理到指定的端口名称或端口号
* `https:<service_name>:` - 使用 https 代理到默认或未命名的端口(注意后面的冒号)
* `https:<service_name>:<port_name>` - 使用 https 代理到指定的端口名称或端口号
<!--
##### Examples
* To access the Elasticsearch service endpoint `_search?q=user:kimchy`, you would use: `http://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_search?q=user:kimchy`
* To access the Elasticsearch cluster health information `_cluster/health?pretty=true`, you would use: `https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_cluster/health?pretty=true`
-->
##### 示例
* 要访问 Elasticsearch 服务端点 `_search?q=user:kimchy`,你需要使用:
`http://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_search?q=user:kimchy`
* 要访问 Elasticsearch 集群健康信息 `_cluster/health?pretty=true`,你需要使用:
`https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_cluster/health?pretty=true`
```json
{
"cluster_name" : "kubernetes_logging",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 5,
"active_shards" : 5,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 5
}
```
<!--
### Using web browsers to access services running on the cluster
You may be able to put an apiserver proxy url into the address bar of a browser. However:
- Web browsers cannot usually pass tokens, so you may need to use basic (password) auth. Apiserver can be configured to accept basic auth,
but your cluster may not be configured to accept basic auth.
- Some web apps may not work, particularly those with client side javascript that construct urls in a
way that is unaware of the proxy path prefix.
-->
### 使用 web 浏览器访问运行在集群上的服务
你可以在浏览器地址栏中输入 apiserver 代理 URL。但是
- Web 浏览器通常不能传递令牌,因此你可能需要使用基本(密码)身份验证。
Apiserver 可以配置为接受基本身份验证,但你的集群可能未进行配置。
- 某些 Web 应用程序可能无法运行,尤其是那些使用客户端 javascript
以不知道代理路径前缀的方式构建 URL 的应用程序。
<!--
## Requesting redirects