共计 14468 个字符,预计需要花费 37 分钟才能阅读完成。
前言:
什么是 Ingress?
官网的解释是:
Ingress 是对集群中服务的内部拜访进行治理的 API 对象,典型的拜访形式是 HTTP。
Ingress 能够提供负载平衡、SSL 终结和基于名称的虚构托管。
Ingress 简介
Ingress 对象,其实就是对“反向代理”的一种形象,简略的说就是一个全局的负载均衡器,能够通过拜访 URL 定位到后端的 Service
有了 Ingress 这个形象,K8S 就不须要关怀 Ingress 的细节了,理论应用时,只须要抉择一个具体的 Ingress Controller 部署就行了,业界罕用的反向代理我的项目有:Nginx、HAProxy、Envoy、Traefik 都曾经成为了 K8S 专门保护的 Ingress Controller
一个 Ingress 对象的次要内容,就相似 Nginx 的配置文件形容,对应的转发规定就是 ingressRule,
有了 Ingress 这个对象,用户就能够依据本人的需要抉择 Ingress Controller,例如,如果利用对代理服务的中断十分敏感,能够应用 Treafik 这样的 Ingress Controller
Ingress 工作在七层,Service 工作在四层,当想要在 Kubernetes 里为利用进行 TLS 配置等 HTTPS 相干操作时,都必须通过 Ingress 来进行
- ingress-nginx 简略的了解就是你原来须要改 Nginx 配置,而后配置各种域名对应哪个 Service,当初把这个动作形象进去,变成一个 Ingress 对象,你能够用 yaml 创立,每次不要去改 Nginx 了,间接改 yaml 而后创立 / 更新就行了;那么问题来了:”Nginx 该怎么解决?”
- Ingress Controller 这货色就是解决“Nginx 的解决形式”的;Ingress Controoler 通过与 Kubernetes API 交互,动静的去感知集群中 Ingress 规定变动,而后读取他,依照他本人模板生成一段 Nginx 配置,再写到 Nginx Pod 里,最初 reload 一下,工作流程如下图:
- 实际上 Ingress 也是 Kubernetes API 的规范资源类型之一,它其实就是一组基于 DNS 名称(host)或 URL 门路把申请转发到指定的 Service 资源的规定。用于将集群内部的申请流量转发到集群外部实现的服务公布。咱们须要明确的是,Ingress 资源本身不能进行“流量穿透”,仅仅是一组规定的汇合,这些汇合规定还须要其余性能的辅助,比方监听某套接字,而后依据这些规定的匹配进行路由转发,这些可能为 Ingress 资源监听套接字并将流量转发的组件就是 Ingress Controller
- Ingress 两种路由形式
1. 虚拟主机
2.URL 门路
Ingree-nginx 部署
-
ingress-nginx 很多全局配置或批改默认配置都是通过 annotations 正文来加载配置文件具体参数具体解释可
参考官网文档:https://kubernetes.github.io/…
-
抉择 NodePort 部署形式
https://kubernetes.github.io/…
- extensions/v1beta1 Ingress 资源标准 1.22+ 版本后会被彻底弃用
apiVersion: extensions/v1betal #资源所属的 API 群组和版本
Kind: Ingress# 资源类型标识符
metadata: #元数据
name <string> #资源名称
annotationsl #资源注解,v1betal 应用上面的注解来指定要解析该资源的控制器类型
kubernetes.io/ingress.class: <string> #适配的 Ingress 控制器类别
namespace <string> #名称空间
spec:
rules <[]Object> #Ingress 规定列表;
- host <string> #虚拟主机的 FQDN,反对“*" 前缀通配,不反对 IP,不反对指定端口
http <object>
paths<[]0bject># 虚拟主机 PATH 定义的列表,由 path 和 backend 组成
- path <string> #流量匹配的 HTTP PATH,必须以 / 结尾
pathType <string> #匹配机制,反对 Exact、_Prefix 和 ImplementationSpecific
backend <object> #匹配到的流量转发到的指标后端
resource <Object> #援用的同一名称空间下的资源,与上面两个字段互斥
serviceName <string># 援用的 Service 资源的名称
servicePort <string># Service 用于提供服务的端口
tls <[]object> #TLS 配置,用于指定上 rules 中定义的哪些 host 须要工作 HTTPS 模式
- hosts <[]string> #应用同一组证书的主机名称列表
secretName <string> #保留于数字证书和私钥信息的 secret 资源名称
backend <object> #默认 backend 的定义,可嵌套字段及应用格局跟 rules 字段中的雷同
ingressClassName <string> #ingress 类名称,用于指定适配的控制器- v1 Ingress 资源标准
apiVersion: networking.k8s.io/v1 #资源所属的 API 群组和版本
kind: Ingress #资源类型标识符
metadata: #元数据
name <string> #资源名称
annotations: #资源注解,vlbetal 应用上面的注解来指定要解析该资源的控制器类型
kubernetes.io/ingress.class:<string> #适配的 Ingress 控制器类别
namespace <string> #名称空间
spec:
rules <[]object> #Ingress 规定列表
- host <string> #虚拟主机的 FQDN,反对“*" 前缀通配,不反对 IP,不反对指定端口
http <object>
paths <[]object># 虚拟主机 PATH 定义的列表,由 path 和 backend 组成
- path <string> #流量匹配的 HTTP PATH,必须以 / 结尾
pathType <string> #反对 Exact、Prefix 和 ImplementationSpecific,必选
backend <Object># 匹配到的流量转发到的指标后端
resource <object> #援用的同一名称空间下的资源,与上面两个字段互斥
service <object> #关联的后端 Service 对象
name <string> #后端 Service 的名称
port bject> #后端 Service 上的端口对象
name <string> #端口名称
number <integer> #端口号
tls <[]object> #TLS 配置,用于指定上 rules 中定义的哪些 host 须要工作 HTTPS 模式
- hosts <[]string> #应用同一组证书的主机名称列表
secretName <string> #保留于数字证书和私钥信息的 secret 资源名称
backend <object> #默认 backend 的定义,可嵌套字段及应用格局跟 rules 字段中的雷同
ingressClassName <string> #ingress 类名称,用于指定适配的控制器- 增加 externalIPs: 节点 3 IP 非必须步骤,不便记忆应用 而不是记忆 NodePort 端口 NodePort 与 externalIPs 可同时拜访
[root@k8s-master Ingress]# vim deploy.yaml
...
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-4.0.1
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: NodePort
externalIPs: [192.168.54.173] #增加 externalIPs 字段 固定拜访 IP
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
...- 部署 Ingress-nginx
[root@k8s-master Ingress]# kubectl apply -f deploy.yaml
namespace/ingress-nginx unchanged
serviceaccount/ingress-nginx unchanged
configmap/ingress-nginx-controller configured
clusterrole.rbac.authorization.k8s.io/ingress-nginx unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx unchanged
role.rbac.authorization.k8s.io/ingress-nginx unchanged
rolebinding.rbac.authorization.k8s.io/ingress-nginx unchanged
service/ingress-nginx-controller-admission unchanged
service/ingress-nginx-controller configured
deployment.apps/ingress-nginx-controller configured
ingressclass.networking.k8s.io/nginx unchanged
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission configured
serviceaccount/ingress-nginx-admission unchanged
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
role.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
job.batch/ingress-nginx-admission-create unchanged
job.batch/ingress-nginx-admission-patch unchanged
[root@k8s-master Ingress]# kubectl get pod
NAME READY STATUS RESTARTS AGE
etcd-operator-646cbffdb6-brbn6 1/1 Running 0 19h
example-etcd-cluster-5fb5d9d6n8 1/1 Running 0 49m
example-etcd-cluster-nc8pdgjrjr 1/1 Running 0 19h
example-etcd-cluster-svgdngq28k 1/1 Running 0 48m
[root@k8s-master Ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.109.24.78 192.168.54.173 80:32493/TCP,443:30239/TCP 120m
ingress-nginx-controller-admission ClusterIP 10.110.72.52 <none> 443/TCP 120m示例 1: 创立 Ingress-nginx 虚拟主机
- 创立 Deployment 和与之对应的 SVC
[root@k8s-master Ingress]# cat deployment-demo.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-demo
namespace: default
spec:
replicas: 4
selector:
matchLabels:
app: demoapp
release: stable
template:
metadata:
labels :
app: demoapp
release: stable
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.1
ports:
- containerPort: 80
name: http
---
apiVersion: v1
kind: Service
metadata:
name: demoapp-deploy
namespace: default
spec:
selector:
app: demoapp
release: stable
ports:
- name: http
port: 80
targetPort: 80- 创立 ingress-nginx
[root@k8s-master Ingress]# cat demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo
annotations:
kubernetes.io/ingress.class: "nginx"
namespace: default
spec:
rules:
- host: www.ik8s.io #虚拟主机
http:
paths:
- path: /
pathType: Prefix #前缀匹配
backend:
service:
name: demoapp-deploy
port:
number: 80
[root@k8s-master Ingress]# kubectl apply -f deployment-demo.yaml
[root@k8s-master Ingress]# kubectl apply -f demoapp-ingress.yaml
[root@k8s-master Ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.109.24.78 192.168.54.173 80:32493/TCP,443:30239/TCP 5h50m
ingress-nginx-controller-admission ClusterIP 10.110.72.52 <none> 443/TCP 5h50m
[root@k8s-master Ingress]# kubectl get ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-demo <none> www.ik8s.io 192.168.4.171 80 3h11m
- 拜访测试
[root@bigyong ~]# cat /etc/hosts
# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
...
192.168.54.173 www.ik8s.io #写 hosts
[root@bigyong ~]# curl 192.168.54.173 #间接拜访只能到 ingress-nginx 没到转发到后端
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173 #拜访胜利
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-gw6qp, ServerIP: 192.168.113.39
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-2zcr5, ServerIP: 192.168.51.61!
[root@bigyong ~]# curl -H "Host:www.ik8s.io" 192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!
示例 2: 创立 TLS Ingress HTTPS
[root@k8s-master Ingress]# cat demoapp-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo
annotations:
kubernetes.io/ingress.class: "nginx"
namespace: default
spec:
rules:
- host: www.ik8s.io
http:
paths:
- path: /
pathType: Prefix #前缀匹配
backend:
service:
name: demoapp-deploy
port:
number: 80
tls: #增加 tls
- hosts:
- www.ik8s.io
secretName: ik8s-tls
[root@k8s-master Ingress]# kubectl apply -f demoapp-ingress.yaml
ingress.networking.k8s.io/ingress-demo configured
[root@k8s-master Ingress]# kubectl describe ingress ingress-demo
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: ingress-demo
Namespace: default
Address: 192.168.4.171
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
ik8s-tls terminates www.ik8s.io
Rules:
Host Path Backends
---- ---- --------
www.ik8s.io
/ demoapp-deploy:80 (192.168.113.39:80,192.168.12.39:80)
Annotations: kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 113s (x3 over 6h36m) nginx-ingress-controller Scheduled for sync- 创立 tls 自签证书
[root@k8s-master Ingress]# (umask 077); openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.......................+++
e is 65537 (0x10001)
[root@k8s-master Ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj "/CN=www.ik8s.io" -days 365
[root@k8s-master Ingress]# ls
demoapp-ingress.yaml deployment-demo.yaml tls.crt
deploy-externalIP.yaml deploy.yaml tls.key- 创立 Secret
[root@k8s-master Ingress]# kubectl create secret tls ik8s-tls --cert=./tls.crt --key=./tls.key
secret/ik8s-tls created- 拜访测试
[root@k8s-master Ingress]# curl -H "Host:www.ik8s.io" 192.168.54.173 #308 曾经被重定向
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>
#通过 https 拜访 提醒证书有效不被信赖
[root@k8s-master Ingress]# curl -H "Host:www.ik8s.io" https://192.168.54.173
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.- 疏忽危险 拜访胜利
[root@k8s-master Ingress]# curl -k -H "Host:www.ik8s.io" https://192.168.54.173
iKubernetes demoapp v1.1 !! ClientIP: 192.168.113.37, ServerName: deployment-demo-867c7d9d55-9lnpq, ServerIP: 192.168.12.39!示例 3: 为 dashboard 增加 ingress
https://kubernetes.github.io/…
[root@k8s-master Ingress]# cat ingress-kubernetes-dashboard.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard
annotations:
kubernetes.io/ingress.class: "nginx" #指定控制器
ingress.kubernetes.io/ssl-passthrough: "true" #tcp 代理 因为后端 dashboard 必须通过 https 拜访 这里通过 4 层转发间接转发到后端 Pod
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" #后端间接通过 https 协定拜访
nginx.ingress.kubernetes.io/rewrite-target: /$2 #重写标记 path:/dashboard(/|$)(.*) 这里的第 2 局部
namespace: kubernetes-dashboard
spec: #这里没有配置 host 相当于 * 号通配所有主机
rules:
- http:
paths:
- path: /dashboard(/|$)(.*)
backend:
serviceName: kubernetes-dashboard
servicePort: 443
[root@k8s-master Ingress]# kubectl apply -f ingress-kubernetes-dashboard.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/dashboard created
[root@k8s-master Ingress]# kubectl describe ingress dashboard -n kubernetes-dashboard
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: dashboard
Namespace: kubernetes-dashboard
Address: 192.168.4.171
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
*
/dashboard(/|$)(.*) kubernetes-dashboard:443 (192.168.51.64:8443) #后端 pod
Annotations: ingress.kubernetes.io/ssl-passthrough: true
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/rewrite-target: /$2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 103s (x2 over 2m41s) nginx-ingress-controller Scheduled for sync
- 拜访测试
留神:https://192.168.54.173/dashbo… 肯定要带上最初的 / $2 为 / 前面局部 不然无法访问
示例 4:longhorn 增加 ingress-nginx basic 认证
参考官网文档
https://longhorn.io/docs/1.2….
- 默认 longhorn 没有登录认证裸露到公网会存在危险 首先增加 basic 认证
[root@k8s-master Ingress]# kubectl get pod -n longhorn-system
NAME READY STATUS RESTARTS AGE
....
longhorn-manager-cc8sp 1/1 Running 0 149m
longhorn-manager-fs5tx 1/1 Running 2 149m
longhorn-manager-vwbzn 1/1 Running 1 149m
longhorn-ui-79f8976fbf-c44ct 1/1 Running 1 149m
[root@k8s-master Ingress]# kubectl get svc -n longhorn-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
csi-attacher ClusterIP 10.108.190.205 <none> 12345/TCP 142m
csi-provisioner ClusterIP 10.99.216.181 <none> 12345/TCP 142m
csi-resizer ClusterIP 10.96.161.192 <none> 12345/TCP 141m
csi-snapshotter ClusterIP 10.101.216.72 <none> 12345/TCP 141m
longhorn-backend ClusterIP 10.108.67.31 <none> 9500/TCP 149m
longhorn-frontend ClusterIP 10.107.71.176 <none> 80/TCP 149m
[root@k8s-master Ingress]# USER=user.com; PASSWORD=passwd.com; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth
[root@k8s-master Ingress]# ls
auth deploy-externalIP.yaml deploy.yaml tls.crt
demoapp-ingress.yaml deployment-demo.yaml ingress-kubernetes-dashboard.yaml tls.key
[root@k8s-master Ingress]# kubectl -n longhorn-system create secret generic basic-auth --from-file=authsecret/basic-auth created
[root@k8s-master Ingress]# cat longhorn-ui-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-ingress
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: "nginx" #指定控制器
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic #认证类型
# prevent the controller from redirecting (308) to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: 'false' #http 通信
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth #secret 名称
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' #输出提醒
# custom max body size for file uploading like backing image uploading
nginx.ingress.kubernetes.io/proxy-body-size: 10000m
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- http:
paths:
- pathType: Prefix
path: /longhorn(/|$)(.*)
backend:
service:
name: longhorn-frontend
port:
number: 80
[root@k8s-master Ingress]# kubectl apply -f longhorn-ui-ingress.yaml
ingress.networking.k8s.io/longhorn-ingress configured
- 拜访 http://IP/longhorn/ #最初的 “/” 肯定要加
- 以下图片 IP 重新部署后的服务 IP
正文完
发表至: kubernetes
2021-12-07
