我正在运行一个私有的 GKE 集群,并且想要添加一个 NAT 网关,这样我就可以根据来自集群的请求创建防火墙规则(默认情况下,所有节点的公共 IP 都是临时的,因此很难跟踪)。
我正在尝试按照说明进行操作这里, 和这里(创建高可用性 NAT,第一个链接的变体)。
我可以安装,在工作目录中terraform创建并运行。当我运行时,我收到很多错误,例如:terraform.tfvarsterraform initterraform plan
Error: Unsupported attribute
on ../../main.tf line 51, in module "nat-gateway":
51: module_enabled = "${var.module_enabled}"
An attribute named "module_enabled" is not expected here.
Error: Unsupported attribute
on ../../main.tf line 52, in module "nat-gateway":
52: project = "${var.project}"
An attribute named "project" is not expected here.
Error: Unsupported attribute
on ../../main.tf line 53, in module "nat-gateway":
53: region = "${var.region}"
An attribute named "region" is not expected here.
Error: Unsupported attribute
on ../../main.tf line 54, in module "nat-gateway":
54: zone = "${local.zone}"
An attribute named "zone" is not expected here.
...
我几乎每次输入都会出错这个模块(这就是所../../main.tf指向的)。
module "nat-gateway" {
source = "GoogleCloudPlatform/managed-instance-group/google"
version = "1.1.14"
module_enabled = "${var.module_enabled}"
project = "${var.project}"
region = "${var.region}"
zone = "${local.zone}"
network = "${var.network}"
subnetwork = "${var.subnetwork}"
target_tags = ["${local.instance_tags}"]
instance_labels = "${var.instance_labels}"
service_account_email = "${var.service_account_email}"
machine_type = "${var.machine_type}"
name = "${local.name}"
compute_image = "${var.compute_image}"
size = 1
network_ip = "${var.ip}"
can_ip_forward = "true"
service_port = "80"
service_port_name = "http"
startup_script = "${data.template_file.nat-startup-script.rendered}"
wait_for_instances = true
metadata = "${var.metadata}"
ssh_fw_rule = "${var.ssh_fw_rule}"
ssh_source_ranges = "${var.ssh_source_ranges}"
http_health_check = "${var.autohealing_enabled}"
update_strategy = "ROLLING_UPDATE"
rolling_update_policy = [
{
type = "PROACTIVE"
minimal_action = "REPLACE"
max_surge_fixed = 0
max_unavailable_fixed = 1
min_ready_sec = 30
},
]
access_config = [
{
nat_ip = "${element(concat(google_compute_address.default.*.address, data.google_compute_address.default.*.address, list("")), 0)}"
},
]
}
我还注意到我收到的错误是声明的字段这里但不是这里,因此看起来像是某种版本不匹配。
我尝试改变这如下所示,从 github 而不是 terraform 注册表获取最新版本,但这并不能解决问题。
// before:
module "nat-gateway" {
source = "GoogleCloudPlatform/managed-instance-group/google"
version = "1.1.14"
// after:
module "nat-gateway" {
source = "github.com/GoogleCloudPlatform/terraform-google-managed-instance-group"
我的工作目录是examples/gke-ha-nat-gateway/,以防万一。整个环境与刚从 github 克隆的相同,但 除外terraform.tfvars。
不幸的是,我没有使用 Terraform 的经验,所以我真的不知道如何调试这些错误。
感谢您的帮助!
答案1
由于您正在 GCP 上运行,您可以考虑云 NAT配置而不是创建自己的 NAT 网关。
看来,当虚拟机访问托管在 Google 上的服务时,会使用“fda3:e722:ac3::/48”地址。如果您访问 Google 以外的任何服务,它将看到您的 NAT IP 地址。关于源 IP 是随机 IPv6(当节点连接到站点时)而不是创建的静态 IPv4 的问题,您可以将“fda3:e722:ac3:10:30:dXXX:aXX:0/96”添加到防火墙规则中。