关于kubernetes:26kubernetesk8s笔记-Ingress一-Ingressnginx

55次阅读

共计 14468 个字符,预计需要花费 37 分钟才能阅读完成。

前言:

什么是 Ingress?

官网的解释是:
Ingress 是对集群中服务的内部拜访进行治理的 API 对象,典型的拜访形式是 HTTP。
Ingress 能够提供负载平衡、SSL 终结和基于名称的虚构托管。

Ingress 简介
Ingress 对象,其实就是对“反向代理”的一种形象,简略的说就是一个全局的负载均衡器,能够通过拜访 URL 定位到后端的 Service
有了 Ingress 这个形象,K8S 就不须要关怀 Ingress 的细节了,理论应用时,只须要抉择一个具体的 Ingress Controller 部署就行了,业界罕用的反向代理我的项目有:Nginx、HAProxy、Envoy、Traefik 都曾经成为了 K8S 专门保护的 Ingress Controller
一个 Ingress 对象的次要内容,就相似 Nginx 的配置文件形容,对应的转发规定就是 ingressRule,
有了 Ingress 这个对象,用户就能够依据本人的需要抉择 Ingress Controller,例如,如果利用对代理服务的中断十分敏感,能够应用 Treafik 这样的 Ingress Controller

Ingress 工作在七层,Service 工作在四层,当想要在 Kubernetes 里为利用进行 TLS 配置等 HTTPS 相干操作时,都必须通过 Ingress 来进行

  • ingress-nginx 简略的了解就是你原来须要改 Nginx 配置,而后配置各种域名对应哪个 Service,当初把这个动作形象进去,变成一个 Ingress 对象,你能够用 yaml 创立,每次不要去改 Nginx 了,间接改 yaml 而后创立 / 更新就行了;那么问题来了:”Nginx 该怎么解决?”
  • Ingress Controller 这货色就是解决“Nginx 的解决形式”的;Ingress Controoler 通过与 Kubernetes API 交互,动静的去感知集群中 Ingress 规定变动,而后读取他,依照他本人模板生成一段 Nginx 配置,再写到 Nginx Pod 里,最初 reload 一下,工作流程如下图:

  • 实际上 Ingress 也是 Kubernetes API 的规范资源类型之一,它其实就是一组基于 DNS 名称(host)或 URL 门路把申请转发到指定的 Service 资源的规定。用于将集群内部的申请流量转发到集群外部实现的服务公布。咱们须要明确的是,Ingress 资源本身不能进行“流量穿透”,仅仅是一组规定的汇合,这些汇合规定还须要其余性能的辅助,比方监听某套接字,而后依据这些规定的匹配进行路由转发,这些可能为 Ingress 资源监听套接字并将流量转发的组件就是 Ingress Controller
  • Ingress 两种路由形式
    1. 虚拟主机
    2.URL 门路

Ingree-nginx 部署

  • ingress-nginx 很多全局配置或批改默认配置都是通过 annotations 正文来加载配置文件具体参数具体解释可
    参考官网文档:

    https://kubernetes.github.io/…

  • 抉择 NodePort 部署形式

    https://kubernetes.github.io/…

  • extensions/v1beta1 Ingress 资源标准 1.22+ 版本后会被彻底弃用
apiVersion: extensions/v1betal #资源所属的 API 群组和版本
Kind: Ingress# 资源类型标识符
metadata: #元数据
  name <string> #资源名称
  annotationsl #资源注解,v1betal 应用上面的注解来指定要解析该资源的控制器类型
    kubernetes.io/ingress.class: <string> #适配的 Ingress 控制器类别
  namespace <string> #名称空间
spec:
  rules <[]Object> #Ingress 规定列表;
  - host <string>  #虚拟主机的 FQDN,反对“*" 前缀通配,不反对 IP,不反对指定端口
    http <object>
      paths<[]0bject># 虚拟主机 PATH 定义的列表,由 path 和 backend 组成
      - path <string> #流量匹配的 HTTP PATH,必须以 / 结尾
        pathType <string> #匹配机制,反对 Exact、_Prefix 和 ImplementationSpecific
        backend <object> #匹配到的流量转发到的指标后端
          resource <Object> #援用的同一名称空间下的资源,与上面两个字段互斥
          serviceName <string># 援用的 Service 资源的名称
          servicePort <string># Service 用于提供服务的端口
  tls <[]object> #TLS 配置,用于指定上 rules 中定义的哪些 host 须要工作 HTTPS 模式
  - hosts <[]string>  #应用同一组证书的主机名称列表
    secretName <string>  #保留于数字证书和私钥信息的 secret 资源名称
  backend <object>   #默认 backend 的定义,可嵌套字段及应用格局跟 rules 字段中的雷同
  ingressClassName <string> #ingress 类名称,用于指定适配的控制器
  • v1 Ingress 资源标准
apiVersion: networking.k8s.io/v1 #资源所属的 API 群组和版本
kind: Ingress #资源类型标识符
metadata: #元数据
  name <string> #资源名称
  annotations: #资源注解,vlbetal 应用上面的注解来指定要解析该资源的控制器类型
    kubernetes.io/ingress.class:<string> #适配的 Ingress 控制器类别
  namespace <string>  #名称空间
spec:
  rules <[]object> #Ingress 规定列表
  - host <string>  #虚拟主机的 FQDN,反对“*" 前缀通配,不反对 IP,不反对指定端口
    http <object>
      paths <[]object># 虚拟主机 PATH 定义的列表,由 path 和 backend 组成
      - path <string> #流量匹配的 HTTP PATH,必须以 / 结尾
        pathType <string> #反对 Exact、Prefix 和 ImplementationSpecific,必选
        backend <Object># 匹配到的流量转发到的指标后端
          resource <object>  #援用的同一名称空间下的资源,与上面两个字段互斥
          service <object> #关联的后端 Service 对象
            name <string> #后端 Service 的名称
            port bject> #后端 Service 上的端口对象
              name <string> #端口名称
              number <integer>  #端口号
  tls <[]object>  #TLS 配置,用于指定上 rules 中定义的哪些 host 须要工作 HTTPS 模式
  - hosts <[]string>  #应用同一组证书的主机名称列表
    secretName <string> #保留于数字证书和私钥信息的 secret 资源名称
  backend <object>  #默认 backend 的定义,可嵌套字段及应用格局跟 rules 字段中的雷同
  ingressClassName <string> #ingress 类名称,用于指定适配的控制器
  • 增加 externalIPs: 节点 3 IP 非必须步骤,不便记忆应用 而不是记忆 NodePort 端口 NodePort 与 externalIPs 可同时拜访
[root@k8s-master Ingress]# vim deploy.yaml
...
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: NodePort
  externalIPs: [192.168.54.173]   #增加 externalIPs 字段 固定拜访 IP
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
...
  • 部署 Ingress-nginx
[root@k8s-master Ingress]# kubectl apply -f deploy.yaml 
namespace/ingress-nginx unchanged
serviceaccount/ingress-nginx unchanged
configmap/ingress-nginx-controller configured
clusterrole.rbac.authorization.k8s.io/ingress-nginx unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx unchanged
role.rbac.authorization.k8s.io/ingress-nginx unchanged
rolebinding.rbac.authorization.k8s.io/ingress-nginx unchanged
service/ingress-nginx-controller-admission unchanged
service/ingress-nginx-controller configured
deployment.apps/ingress-nginx-controller configured
ingressclass.networking.k8s.io/nginx unchanged
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission configured
serviceaccount/ingress-nginx-admission unchanged
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
role.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
job.batch/ingress-nginx-admission-create unchanged
job.batch/ingress-nginx-admission-patch unchanged
[root@k8s-master Ingress]# kubectl get pod
NAME                              READY   STATUS    RESTARTS   AGE
etcd-operator-646cbffdb6-brbn6    1/1     Running   0          19h
example-etcd-cluster-5fb5d9d6n8   1/1     Running   0          49m
example-etcd-cluster-nc8pdgjrjr   1/1     Running   0          19h
example-etcd-cluster-svgdngq28k   1/1     Running   0          48m
[root@k8s-master Ingress]# kubectl get svc -n ingress-nginx
NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP      PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.109.24.78   192.168.54.173   80:32493/TCP,443:30239/TCP   120m
ingress-nginx-controller-admission   ClusterIP   10.110.72.52   <none>           443/TCP                      120m

示例 1: 创立 Ingress-nginx 虚拟主机

  • 创立 Deployment 和与之对应的 SVC
[root@k8s-master Ingress]# cat deployment-demo.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-demo
  namespace: default
spec:
  replicas: 4
  selector:
    matchLabels:
      app: demoapp
      release: stable
  template:
    metadata:
      labels :
        app: demoapp
        release: stable
    spec:
      containers:
      - name: demoapp
        image: ikubernetes/demoapp:v1.1
        ports:
        - containerPort: 80
          name: http

---
apiVersion: v1
kind: Service
metadata:
  name: demoapp-deploy
  namespace: default
spec:
  selector:
    app: demoapp
    release: stable
  ports:
  - name: http
    port: 80
    targetPort: 80
  • 创立 ingress-nginx
[root@k8s-master Ingress]# cat  demoapp-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo
  annotations:
    kubernetes.io/ingress.class: "nginx"
  namespace: default
spec:
  rules:
  - host: www.ik8s.io  #虚拟主机
    http:
      paths:
      - path: /
        pathType: Prefix  #前缀匹配
        backend:
          service:
            name: demoapp-deploy
            port:
              number: 80

[root@k8s-master Ingress]# kubectl apply -f deployment-demo.yaml
[root@k8s-master Ingress]# kubectl apply -f demoapp-ingress.yaml

[root@k8s-master Ingress]# kubectl get svc -n ingress-nginx
NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP      PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.109.24.78   192.168.54.173   80:32493/TCP,443:30239/TCP   5h50m
ingress-nginx-controller-admission   ClusterIP   10.110.72.52   <none>           443/TCP                      5h50m

[root@k8s-master Ingress]# kubectl get ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME           CLASS    HOSTS         ADDRESS         PORTS   AGE
ingress-demo   <none>   www.ik8s.io   192.168.4.171   80      3h11m
  • 拜访测试
[root@bigyong ~]# cat /etc/hosts   
# ::1        localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1    localhost localhost.localdomain localhost4 localhost4.localdomain4

...
192.168.54.173   www.ik8s.io   #写 hosts

[root@bigyong ~]# curl 192.168.54.173  #间接拜访只能到 ingress-nginx 没到转发到后端
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
[root@bigyong ~]# curl -H  "Host:www.ik8s.io" 192.168.54.173  #拜访胜利
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-gw6qp, ServerIP: 192.168.113.39
[root@bigyong ~]# curl -H  "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!
[root@bigyong ~]# curl -H  "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-2zcr5, ServerIP: 192.168.51.61!
[root@bigyong ~]# curl -H  "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!

示例 2: 创立 TLS Ingress HTTPS

[root@k8s-master Ingress]# cat   demoapp-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo
  annotations:
    kubernetes.io/ingress.class: "nginx"
  namespace: default
spec:
  rules:
  - host: www.ik8s.io
    http:
      paths:
      - path: /
        pathType: Prefix  #前缀匹配
        backend:
          service:
            name: demoapp-deploy
            port:
              number: 80
  tls:  #增加 tls
  - hosts:
    - www.ik8s.io
    secretName: ik8s-tls
    
[root@k8s-master Ingress]# kubectl  apply -f demoapp-ingress.yaml 
ingress.networking.k8s.io/ingress-demo configured

[root@k8s-master Ingress]# kubectl describe ingress ingress-demo
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name:             ingress-demo
Namespace:        default
Address:          192.168.4.171
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  ik8s-tls terminates www.ik8s.io
Rules:
  Host         Path  Backends
  ----         ----  --------
  www.ik8s.io  
               /   demoapp-deploy:80 (192.168.113.39:80,192.168.12.39:80)
Annotations:   kubernetes.io/ingress.class: nginx
Events:
  Type    Reason  Age                   From                      Message
  ----    ------  ----                  ----                      -------
  Normal  Sync    113s (x3 over 6h36m)  nginx-ingress-controller  Scheduled for sync
  • 创立 tls 自签证书
[root@k8s-master Ingress]# (umask 077); openssl  genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.......................+++
e is 65537 (0x10001)
[root@k8s-master Ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj "/CN=www.ik8s.io" -days 365
[root@k8s-master Ingress]# ls
demoapp-ingress.yaml    deployment-demo.yaml  tls.crt
deploy-externalIP.yaml  deploy.yaml           tls.key
  • 创立 Secret
[root@k8s-master Ingress]# kubectl create secret tls ik8s-tls --cert=./tls.crt --key=./tls.key
secret/ik8s-tls created
  • 拜访测试
[root@k8s-master Ingress]# curl -H  "Host:www.ik8s.io" 192.168.54.173   #308 曾经被重定向
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>

#通过 https 拜访  提醒证书有效不被信赖
[root@k8s-master Ingress]# curl -H  "Host:www.ik8s.io" https://192.168.54.173 
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
  • 疏忽危险 拜访胜利
[root@k8s-master Ingress]# curl -k -H  "Host:www.ik8s.io" https://192.168.54.173  
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!

示例 3: 为 dashboard 增加 ingress

https://kubernetes.github.io/…

[root@k8s-master Ingress]# cat ingress-kubernetes-dashboard.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard
  annotations:
    kubernetes.io/ingress.class: "nginx" #指定控制器
    ingress.kubernetes.io/ssl-passthrough: "true"   #tcp 代理 因为后端 dashboard 必须通过 https 拜访  这里通过 4 层转发间接转发到后端 Pod
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" #后端间接通过 https 协定拜访
    nginx.ingress.kubernetes.io/rewrite-target: /$2 #重写标记 path:/dashboard(/|$)(.*) 这里的第 2 局部
  namespace: kubernetes-dashboard
spec:  #这里没有配置 host 相当于 * 号通配所有主机 
  rules:
  - http:
      paths:
      - path: /dashboard(/|$)(.*)
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

[root@k8s-master Ingress]# kubectl apply -f ingress-kubernetes-dashboard.yaml 
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/dashboard created

[root@k8s-master Ingress]# kubectl describe ingress dashboard -n kubernetes-dashboard
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name:             dashboard
Namespace:        kubernetes-dashboard
Address:          192.168.4.171
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host        Path  Backends
  ----        ----  --------
  *           
              /dashboard(/|$)(.*)   kubernetes-dashboard:443 (192.168.51.64:8443)  #后端 pod
Annotations:  ingress.kubernetes.io/ssl-passthrough: true
              kubernetes.io/ingress.class: nginx
              nginx.ingress.kubernetes.io/backend-protocol: HTTPS
              nginx.ingress.kubernetes.io/rewrite-target: /$2
Events:
  Type    Reason  Age                   From                      Message
  ----    ------  ----                  ----                      -------
  Normal  Sync    103s (x2 over 2m41s)  nginx-ingress-controller  Scheduled for sync
  • 拜访测试

留神:https://192.168.54.173/dashbo… 肯定要带上最初的 / $2 为 / 前面局部 不然无法访问

示例 4:longhorn 增加 ingress-nginx basic 认证

参考官网文档

https://longhorn.io/docs/1.2….

  • 默认 longhorn 没有登录认证裸露到公网会存在危险 首先增加 basic 认证
[root@k8s-master Ingress]# kubectl get pod -n longhorn-system 
NAME                                        READY   STATUS    RESTARTS   AGE
....
longhorn-manager-cc8sp                      1/1     Running   0          149m
longhorn-manager-fs5tx                      1/1     Running   2          149m
longhorn-manager-vwbzn                      1/1     Running   1          149m
longhorn-ui-79f8976fbf-c44ct                1/1     Running   1          149m
[root@k8s-master Ingress]# kubectl get svc  -n longhorn-system 
NAME                TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)     AGE
csi-attacher        ClusterIP   10.108.190.205   <none>        12345/TCP   142m
csi-provisioner     ClusterIP   10.99.216.181    <none>        12345/TCP   142m
csi-resizer         ClusterIP   10.96.161.192    <none>        12345/TCP   141m
csi-snapshotter     ClusterIP   10.101.216.72    <none>        12345/TCP   141m
longhorn-backend    ClusterIP   10.108.67.31     <none>        9500/TCP    149m
longhorn-frontend   ClusterIP   10.107.71.176    <none>        80/TCP      149m

[root@k8s-master Ingress]# USER=user.com; PASSWORD=passwd.com; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth
[root@k8s-master Ingress]# ls
auth                  deploy-externalIP.yaml  deploy.yaml                        tls.crt
demoapp-ingress.yaml  deployment-demo.yaml    ingress-kubernetes-dashboard.yaml  tls.key

[root@k8s-master Ingress]# kubectl -n longhorn-system create secret generic basic-auth --from-file=authsecret/basic-auth created

[root@k8s-master Ingress]# cat longhorn-ui-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: longhorn-ingress
  namespace: longhorn-system
  annotations:
    kubernetes.io/ingress.class: "nginx"   #指定控制器
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic  #认证类型
    # prevent the controller from redirecting (308) to HTTPS
    nginx.ingress.kubernetes.io/ssl-redirect: 'false'     #http 通信
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth    #secret 名称
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'   #输出提醒
    # custom max body size for file uploading like backing image uploading
    nginx.ingress.kubernetes.io/proxy-body-size: 10000m
    nginx.ingress.kubernetes.io/rewrite-target: /$2 
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /longhorn(/|$)(.*)
        backend:
          service:
            name: longhorn-frontend
            port:
              number: 80

[root@k8s-master Ingress]# kubectl apply -f longhorn-ui-ingress.yaml 
ingress.networking.k8s.io/longhorn-ingress configured
  • 拜访 http://IP/longhorn/ #最初的 “/” 肯定要加
  • 以下图片 IP 重新部署后的服务 IP

正文完
 0