前言:
什么是Ingress?
官网的解释是:
Ingress 是对集群中服务的内部拜访进行治理的 API 对象,典型的拜访形式是 HTTP。
Ingress 能够提供负载平衡、SSL 终结和基于名称的虚构托管。
Ingress简介
Ingress对象,其实就是对“反向代理”的一种形象,简略的说就是一个全局的负载均衡器,能够通过拜访URL定位到后端的Service
有了Ingress这个形象,K8S就不须要关怀Ingress的细节了,理论应用时,只须要抉择一个具体的Ingress Controller部署就行了,业界罕用的反向代理我的项目有:Nginx、HAProxy、Envoy、Traefik 都曾经成为了K8S专门保护的Ingress Controller
一个Ingress对象的次要内容,就相似Nginx的配置文件形容,对应的转发规定就是ingressRule,
有了Ingress这个对象,用户就能够依据本人的需要抉择Ingress Controller,例如,如果利用对代理服务的中断十分敏感,能够应用Treafik这样的Ingress Controller
Ingress工作在七层,Service工作在四层,当想要在Kubernetes里为利用进行TLS配置等HTTPS相干操作时,都必须通过Ingress来进行
- ingress-nginx 简略的了解就是你原来须要改 Nginx 配置,而后配置各种域名对应哪个 Service,当初把这个动作形象进去,变成一个 Ingress 对象,你能够用 yaml 创立,每次不要去改 Nginx 了,间接改 yaml 而后创立/更新就行了;那么问题来了:”Nginx 该怎么解决?”
- Ingress Controller 这货色就是解决 “Nginx 的解决形式” 的;Ingress Controoler 通过与 Kubernetes API 交互,动静的去感知集群中 Ingress 规定变动,而后读取他,依照他本人模板生成一段 Nginx 配置,再写到 Nginx Pod 里,最初 reload 一下,工作流程如下图:
- 实际上Ingress也是Kubernetes API的规范资源类型之一,它其实就是一组基于DNS名称(host)或URL门路把申请转发到指定的Service资源的规定。用于将集群内部的申请流量转发到集群外部实现的服务公布。咱们须要明确的是,Ingress资源本身不能进行“流量穿透”,仅仅是一组规定的汇合,这些汇合规定还须要其余性能的辅助,比方监听某套接字,而后依据这些规定的匹配进行路由转发,这些可能为Ingress资源监听套接字并将流量转发的组件就是Ingress Controller
- Ingress 两种路由形式
1.虚拟主机
2.URL 门路
Ingree-nginx部署
-
ingress-nginx 很多全局配置或批改默认配置都是通过annotations 正文来加载配置文件具体参数具体解释可
参考官网文档:https://kubernetes.github.io/…
-
抉择NodePort部署形式
https://kubernetes.github.io/…
- extensions/v1beta1 Ingress资源标准 1.22+版本后会被彻底弃用
apiVersion: extensions/v1betal #资源所属的API群组和版本
Kind: Ingress#资源类型标识符
metadata: #元数据
name <string> #资源名称
annotationsl #资源注解,v1betal应用上面的注解来指定要解析该资源的控制器类型
kubernetes.io/ingress.class: <string> #适配的Ingress控制器类别
namespace <string> #名称空间
spec:
rules <[]Object> #Ingress规定列表;
- host <string> #虚拟主机的FQDN,反对“*"前缀通配,不反对IP,不反对指定端口
http <object>
paths<[]0bject>#虚拟主机PATH定义的列表,由path和backend组成
- path <string> #流量匹配的HTTP PATH,必须以/结尾
pathType <string> #匹配机制,反对Exact、_Prefix和ImplementationSpecific
backend <object> #匹配到的流量转发到的指标后端
resource <Object> #援用的同一名称空间下的资源,与上面两个字段互斥
serviceName <string>#援用的Service资源的名称
servicePort <string># Service用于提供服务的端口
tls <[]object> #TLS配置,用于指定上rules中定义的哪些host须要工作HTTPS模式
- hosts <[]string> #应用同一组证书的主机名称列表
secretName <string> #保留于数字证书和私钥信息的secret资源名称
backend <object> #默认backend的定义,可嵌套字段及应用格局跟rules字段中的雷同
ingressClassName <string> #ingress类名称,用于指定适配的控制器- v1 Ingress资源标准
apiVersion: networking.k8s.io/v1 #资源所属的API群组和版本
kind: Ingress #资源类型标识符
metadata: #元数据
name <string> #资源名称
annotations: #资源注解,vlbetal应用上面的注解来指定要解析该资源的控制器类型
kubernetes.io/ingress.class:<string> #适配的Ingress控制器类别
namespace <string> #名称空间
spec:
rules <[]object> #Ingress规定列表
- host <string> #虚拟主机的FQDN,反对“*"前缀通配,不反对IP,不反对指定端口
http <object>
paths <[]object>#虚拟主机PATH定义的列表,由path和backend组成
- path <string> #流量匹配的HTTP PATH,必须以/结尾
pathType <string> #反对Exact、Prefix和ImplementationSpecific,必选
backend <Object>#匹配到的流量转发到的指标后端
resource <object> #援用的同一名称空间下的资源,与上面两个字段互斥
service <object> #关联的后端Service对象
name <string> #后端Service的名称
port bject> #后端Service上的端口对象
name <string> #端口名称
number <integer> #端口号
tls <[]object> #TLS配置,用于指定上rules中定义的哪些host须要工作HTTPS模式
- hosts <[]string> #应用同一组证书的主机名称列表
secretName <string> #保留于数字证书和私钥信息的secret资源名称
backend <object> #默认backend的定义,可嵌套字段及应用格局跟rules字段中的雷同
ingressClassName <string> #ingress类名称,用于指定适配的控制器- 增加externalIPs:节点3 IP非必须步骤,不便记忆应用 而不是记忆NodePort端口 NodePort与externalIPs可同时拜访
[root@k8s-master Ingress]# vim deploy.yaml
...
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-4.0.1
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: NodePort
externalIPs: [192.168.54.173] #增加externalIPs字段 固定拜访IP
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
...- 部署Ingress-nginx
[root@k8s-master Ingress]# kubectl apply -f deploy.yaml
namespace/ingress-nginx unchanged
serviceaccount/ingress-nginx unchanged
configmap/ingress-nginx-controller configured
clusterrole.rbac.authorization.k8s.io/ingress-nginx unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx unchanged
role.rbac.authorization.k8s.io/ingress-nginx unchanged
rolebinding.rbac.authorization.k8s.io/ingress-nginx unchanged
service/ingress-nginx-controller-admission unchanged
service/ingress-nginx-controller configured
deployment.apps/ingress-nginx-controller configured
ingressclass.networking.k8s.io/nginx unchanged
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission configured
serviceaccount/ingress-nginx-admission unchanged
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
role.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
job.batch/ingress-nginx-admission-create unchanged
job.batch/ingress-nginx-admission-patch unchanged
[root@k8s-master Ingress]# kubectl get pod
NAME READY STATUS RESTARTS AGE
etcd-operator-646cbffdb6-brbn6 1/1 Running 0 19h
example-etcd-cluster-5fb5d9d6n8 1/1 Running 0 49m
example-etcd-cluster-nc8pdgjrjr 1/1 Running 0 19h
example-etcd-cluster-svgdngq28k 1/1 Running 0 48m
[root@k8s-master Ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.109.24.78 192.168.54.173 80:32493/TCP,443:30239/TCP 120m
ingress-nginx-controller-admission ClusterIP 10.110.72.52 <none> 443/TCP 120m示例1:创立 Ingress-nginx虚拟主机
- 创立 Deployment 和与之对应的SVC
[root@k8s-master Ingress]# cat deployment-demo.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-demo
namespace: default
spec:
replicas: 4
selector:
matchLabels:
app: demoapp
release: stable
template:
metadata:
labels :
app: demoapp
release: stable
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.1
ports:
- containerPort: 80
name: http
---
apiVersion: v1
kind: Service
metadata:
name: demoapp-deploy
namespace: default
spec:
selector:
app: demoapp
release: stable
ports:
- name: http
port: 80
targetPort: 80- 创立 ingress-nginx
[root@k8s-master Ingress]# cat demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo
annotations:
kubernetes.io/ingress.class: "nginx"
namespace: default
spec:
rules:
- host: www.ik8s.io #虚拟主机
http:
paths:
- path: /
pathType: Prefix #前缀匹配
backend:
service:
name: demoapp-deploy
port:
number: 80
[root@k8s-master Ingress]# kubectl apply -f deployment-demo.yaml
[root@k8s-master Ingress]# kubectl apply -f demoapp-ingress.yaml
[root@k8s-master Ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.109.24.78 192.168.54.173 80:32493/TCP,443:30239/TCP 5h50m
ingress-nginx-controller-admission ClusterIP 10.110.72.52 <none> 443/TCP 5h50m
[root@k8s-master Ingress]# kubectl get ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-demo <none> www.ik8s.io 192.168.4.171 80 3h11m
- 拜访测试
[root@bigyong ~]# cat /etc/hosts
# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
...
192.168.54.173 www.ik8s.io #写hosts
[root@bigyong ~]# curl 192.168.54.173 #间接拜访只能到ingress-nginx 没到转发到后端
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173 #拜访胜利
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-gw6qp, ServerIP: 192.168.113.39
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-2zcr5, ServerIP: 192.168.51.61!
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!
示例2:创立TLS Ingress HTTPS
[root@k8s-master Ingress]# cat demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo
annotations:
kubernetes.io/ingress.class: "nginx"
namespace: default
spec:
rules:
- host: www.ik8s.io
http:
paths:
- path: /
pathType: Prefix #前缀匹配
backend:
service:
name: demoapp-deploy
port:
number: 80
tls: #增加tls
- hosts:
- www.ik8s.io
secretName: ik8s-tls
[root@k8s-master Ingress]# kubectl apply -f demoapp-ingress.yaml
ingress.networking.k8s.io/ingress-demo configured
[root@k8s-master Ingress]# kubectl describe ingress ingress-demo
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: ingress-demo
Namespace: default
Address: 192.168.4.171
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
ik8s-tls terminates www.ik8s.io
Rules:
Host Path Backends
---- ---- --------
www.ik8s.io
/ demoapp-deploy:80 (192.168.113.39:80,192.168.12.39:80)
Annotations: kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 113s (x3 over 6h36m) nginx-ingress-controller Scheduled for sync- 创立tls自签证书
[root@k8s-master Ingress]# (umask 077); openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.......................+++
e is 65537 (0x10001)
[root@k8s-master Ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj "/CN=www.ik8s.io" -days 365
[root@k8s-master Ingress]# ls
demoapp-ingress.yaml deployment-demo.yaml tls.crt
deploy-externalIP.yaml deploy.yaml tls.key- 创立Secret
[root@k8s-master Ingress]# kubectl create secret tls ik8s-tls --cert=./tls.crt --key=./tls.key
secret/ik8s-tls created- 拜访测试
[root@k8s-master Ingress]# curl -H "Host:www.ik8s.io" 192.168.54.173 #308曾经被重定向
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>
#通过https拜访 提醒证书有效不被信赖
[root@k8s-master Ingress]# curl -H "Host:www.ik8s.io" https://192.168.54.173
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.- 疏忽危险 拜访胜利
[root@k8s-master Ingress]# curl -k -H "Host:www.ik8s.io" https://192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!示例3:为dashboard 增加ingress
https://kubernetes.github.io/…
[root@k8s-master Ingress]# cat ingress-kubernetes-dashboard.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard
annotations:
kubernetes.io/ingress.class: "nginx" #指定控制器
ingress.kubernetes.io/ssl-passthrough: "true" #tcp代理 因为后端dashboard必须通过https拜访 这里通过4层转发间接转发到后端Pod
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" #后端间接通过https协定拜访
nginx.ingress.kubernetes.io/rewrite-target: /$2 #重写标记 path:/dashboard(/|$)(.*) 这里的第2局部
namespace: kubernetes-dashboard
spec: #这里没有配置host 相当于*号通配所有主机
rules:
- http:
paths:
- path: /dashboard(/|$)(.*)
backend:
serviceName: kubernetes-dashboard
servicePort: 443
[root@k8s-master Ingress]# kubectl apply -f ingress-kubernetes-dashboard.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/dashboard created
[root@k8s-master Ingress]# kubectl describe ingress dashboard -n kubernetes-dashboard
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: dashboard
Namespace: kubernetes-dashboard
Address: 192.168.4.171
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
*
/dashboard(/|$)(.*) kubernetes-dashboard:443 (192.168.51.64:8443) #后端pod
Annotations: ingress.kubernetes.io/ssl-passthrough: true
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/rewrite-target: /$2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 103s (x2 over 2m41s) nginx-ingress-controller Scheduled for sync
- 拜访测试
留神:https://192.168.54.173/dashbo… 肯定要带上最初的/ $2为/前面局部 不然无法访问
示例4:longhorn增加ingress-nginx basic认证
参考官网文档
https://longhorn.io/docs/1.2….
- 默认longhorn没有登录认证裸露到公网会存在危险 首先增加basic认证
[root@k8s-master Ingress]# kubectl get pod -n longhorn-system
NAME READY STATUS RESTARTS AGE
....
longhorn-manager-cc8sp 1/1 Running 0 149m
longhorn-manager-fs5tx 1/1 Running 2 149m
longhorn-manager-vwbzn 1/1 Running 1 149m
longhorn-ui-79f8976fbf-c44ct 1/1 Running 1 149m
[root@k8s-master Ingress]# kubectl get svc -n longhorn-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
csi-attacher ClusterIP 10.108.190.205 <none> 12345/TCP 142m
csi-provisioner ClusterIP 10.99.216.181 <none> 12345/TCP 142m
csi-resizer ClusterIP 10.96.161.192 <none> 12345/TCP 141m
csi-snapshotter ClusterIP 10.101.216.72 <none> 12345/TCP 141m
longhorn-backend ClusterIP 10.108.67.31 <none> 9500/TCP 149m
longhorn-frontend ClusterIP 10.107.71.176 <none> 80/TCP 149m
[root@k8s-master Ingress]# USER=user.com; PASSWORD=passwd.com; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth
[root@k8s-master Ingress]# ls
auth deploy-externalIP.yaml deploy.yaml tls.crt
demoapp-ingress.yaml deployment-demo.yaml ingress-kubernetes-dashboard.yaml tls.key
[root@k8s-master Ingress]# kubectl -n longhorn-system create secret generic basic-auth --from-file=authsecret/basic-auth created
[root@k8s-master Ingress]# cat longhorn-ui-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-ingress
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: "nginx" #指定控制器
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic #认证类型
# prevent the controller from redirecting (308) to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: 'false' #http通信
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth #secret名称
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required ' #输出提醒
# custom max body size for file uploading like backing image uploading
nginx.ingress.kubernetes.io/proxy-body-size: 10000m
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- http:
paths:
- pathType: Prefix
path: /longhorn(/|$)(.*)
backend:
service:
name: longhorn-frontend
port:
number: 80
[root@k8s-master Ingress]# kubectl apply -f longhorn-ui-ingress.yaml
ingress.networking.k8s.io/longhorn-ingress configured
- 拜访 http://IP/longhorn/ #最初的 “/” 肯定要加
- 以下图片IP 重新部署后的服务IP
发表回复