一、概述
Ingress 是對集群中服務的外部訪問進行管理的 API 對象,可以提供負載均衡、SSL 終結和基於名稱的虛擬托管。
典型的訪問方式是 HTTP,用於將不同URL的訪問請求轉發到后端不同的 Service,以實現HTTP層的業務路由機制。
Kubernetes使用了一個Ingress策略定義和一個具體的 Ingress Controller,兩者結合並實現了一個完整的Ingress負載均衡器。
使用Ingress進行負載分發時,Ingress Controller基於Ingress規則將客戶端請求直接轉發到Service對應的后端Endpoint(Pod)上,這樣會跳過kube-proxy的轉發功能,kube-proxy不再起作用。
Ingress 不會公開任意端口或協議。 將 HTTP 和 HTTPS 以外的服務公開到 Internet 時,通常使用 Service.Type=NodePort 或者 Service.Type=LoadBalancer 類型的服務。
二、常見控制器
Kubernetes Ingress 作為"官方"控制器,它是由社區基於NGINX Web服務器開發的,並補充了一組用於實現額外功能的Lua插件。
NGINX Ingress 這是NGINX開發人員的官方產品,NGINX控制器具有很高的穩定性,持續的向后兼容性,沒有任何第三方模塊,並且由於消除了Lua代碼而保證了較高的速度(與官方控制器相比)。
Kong Ingress 由Kong Inc開發,並且有兩個版本:商業版本和免費版本。Kong Ingress建立在NGINX之上,並增加了擴展其功能的Lua模塊。
HAProxy Ingress 由HAProxy開發,它提供了“軟”配置更新(無流量丟失),基於DNS的服務發現,通過API的動態配置。
Traefik 是一個全功能的 ingress 控制器 (Let's Encrypt,secrets,http2,websocket),並且它也有來自 Containous 的商業支持。
Istio 是IBM,Google和Lyft(Envoy的原始作者)的聯合項目,它是一個全面的服務網格解決方案。它不僅可以管理所有傳入的外部流量(作為Ingress控制器),還可以控制集群內部的所有流量。
在幕后,Istio將Envoy用作每種服務的輔助代理。從本質上講,它是一個可以執行幾乎所有操作的大型處理器。其中心思想是最大程度的控制,可擴展性,安全性和透明性。
更多參考 >>> Kubernetes的Ingress控制器比較
三、推薦控制器
1) 如果剛開始接觸Ingress,項目並發和性能要求也不高,那我推薦使用官方的Ingress控制器。畢竟官方產品對k8s本身支持無可厚非,並且配置和部署都比較簡單。
① 安裝部署指導:https://kubernetes.github.io/ingress-nginx/deploy/
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/deploy.yaml
② 當然你也可以直接復制以下修改好的文件:
apiVersion: v1 kind: Namespace metadata: name: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx --- # Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx namespace: ingress-nginx --- # Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx namespace: ingress-nginx rules: - apiGroups: - '' resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - '' resources: - nodes verbs: - get - apiGroups: - '' resources: - services verbs: - get - list - update - watch - apiGroups: - extensions - networking.k8s.io # k8s 1.14+ resources: - ingresses verbs: - get - list - watch - apiGroups: - '' resources: - events verbs: - create - patch - apiGroups: - extensions - networking.k8s.io # k8s 1.14+ resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io # k8s 1.14+ resources: - ingressclasses verbs: - get - list - watch --- # Source: ingress-nginx/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ingress-nginx subjects: - kind: ServiceAccount name: ingress-nginx namespace: ingress-nginx --- # Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx namespace: ingress-nginx rules: - apiGroups: - '' resources: - namespaces verbs: - get - apiGroups: - '' resources: - configmaps - pods - secrets - endpoints verbs: - get - list - watch - apiGroups: - '' resources: - services verbs: - get - list - update - watch - apiGroups: - extensions - networking.k8s.io # k8s 1.14+ resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io # k8s 1.14+ resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io # k8s 1.14+ resources: - ingressclasses verbs: - get - list - watch - apiGroups: - '' resources: - configmaps resourceNames: - ingress-controller-leader-nginx verbs: - get - update - apiGroups: - '' resources: - configmaps verbs: - create - apiGroups: - '' resources: - endpoints verbs: - create - get - update - apiGroups: - '' resources: - events verbs: - create - patch --- # Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-nginx subjects: - kind: ServiceAccount name: ingress-nginx namespace: ingress-nginx --- # Source: ingress-nginx/templates/controller-service-webhook.yaml apiVersion: v1 kind: Service metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission namespace: ingress-nginx spec: type: ClusterIP ports: - name: https-webhook port: 443 targetPort: webhook selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller --- # Source: ingress-nginx/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx spec: type: NodePort ports: - name: http port: 80 protocol: TCP targetPort: http - name: https port: 443 protocol: TCP targetPort: https selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller --- # Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx spec: selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller revisionHistoryLimit: 10 minReadySeconds: 0 template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller spec: dnsPolicy: ClusterFirst containers: - name: controller image: registry.cn-shanghai.aliyuncs.com/leozhanggg/ingress/nginx-ingress-controller:0.32.0 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown args: - /nginx-ingress-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - --configmap=ingress-nginx/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE runAsUser: 101 allowPrivilegeEscalation: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace livenessProbe: httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 readinessProbe: httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 ports: - name: http containerPort: 80 protocol: TCP - name: https containerPort: 443 protocol: TCP - name: webhook containerPort: 8443 protocol: TCP volumeMounts: - name: webhook-cert mountPath: /usr/local/certificates/ readOnly: true resources: requests: cpu: 100m memory: 90Mi serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: ingress-nginx-admission --- # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission namespace: ingress-nginx webhooks: - name: validate.nginx.ingress.kubernetes.io rules: - apiGroups: - extensions - networking.k8s.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - ingresses failurePolicy: Fail clientConfig: service: namespace: ingress-nginx name: ingress-nginx-controller-admission path: /extensions/v1beta1/ingresses --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ingress-nginx-admission annotations: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook namespace: ingress-nginx rules: - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - update --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ingress-nginx-admission annotations: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ingress-nginx-admission subjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: ingress-nginx --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: name: ingress-nginx-admission-create annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook namespace: ingress-nginx spec: template: metadata: name: ingress-nginx-admission-create labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: create image: registry.cn-shanghai.aliyuncs.com/leozhanggg/ingress/kube-webhook-certgen:v1.2.0 imagePullPolicy: IfNotPresent args: - create - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - --namespace=ingress-nginx - --secret-name=ingress-nginx-admission restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: runAsNonRoot: true runAsUser: 2000 --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: name: ingress-nginx-admission-patch annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook namespace: ingress-nginx spec: template: metadata: name: ingress-nginx-admission-patch labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: patch image: registry.cn-shanghai.aliyuncs.com/leozhanggg/ingress/kube-webhook-certgen:v1.2.0 imagePullPolicy: args: - patch - --webhook-name=ingress-nginx-admission - --namespace=ingress-nginx - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: runAsNonRoot: true runAsUser: 2000 --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ingress-nginx-admission annotations: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook namespace: ingress-nginx rules: - apiGroups: - '' resources: - secrets verbs: - get - create --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ingress-nginx-admission annotations: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-nginx-admission subjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: ingress-nginx --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: ingress-nginx-admission annotations: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: helm.sh/chart: ingress-nginx-2.0.3 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.32.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook namespace: ingress-nginx
③ 執行以上部署文件,等待部署完成,修改Service暴露類型:
[root@k8s-32 ~]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE ingress-nginx-admission-create-mw7mv 0/1 Completed 0 23h ingress-nginx-admission-patch-k2zwl 0/1 Completed 1 23h ingress-nginx-controller-df8b8bcbd-klmlc 1/1 Running 0 23h [root@k8s-32 ~]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller NodePort 10.111.132.119 <none> 80:30467/TCP,443:30002/TCP 23h ingress-nginx-controller-admission ClusterIP 10.100.33.182 <none> 443/TCP 23h
2) 如果你對性能比較高,功能要求不多,那我推薦使用Nginx-ingress。由於Nginx-ingress消除了Lua代碼而保證了較高的速度(與官方控制器相比),而在高並發下Nginx-ingress性能也是優於Haproxy-ingress的。
① 安裝部署參考:https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/
② 當然你也可以直接復制以下修改好的文件:
# Source: kubernetes-ingress/deployments/common/ns-and-sa.yaml apiVersion: v1 kind: Namespace metadata: name: nginx-ingress --- apiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress namespace: nginx-ingress --- # Source: kubernetes-ingress/deployments/rbac/rbac.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: nginx-ingress rules: - apiGroups: - "" resources: - services - endpoints verbs: - get - list - watch - apiGroups: - "" resources: - secrets verbs: - get - list - watch - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - update - create - apiGroups: - "" resources: - pods verbs: - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - extensions resources: - ingresses verbs: - list - watch - get - apiGroups: - "extensions" resources: - ingresses/status verbs: - update - apiGroups: - k8s.nginx.org resources: - virtualservers - virtualserverroutes - globalconfigurations - transportservers verbs: - list - watch - get --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: nginx-ingress subjects: - kind: ServiceAccount name: nginx-ingress namespace: nginx-ingress roleRef: kind: ClusterRole name: nginx-ingress apiGroup: rbac.authorization.k8s.io --- # Source: kubernetes-ingress/deployments/common/default-server-secret.yaml apiVersion: v1 kind: Secret metadata: name: default-server-secret namespace: nginx-ingress type: Opaque data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= --- # Source: kubernetes-ingress/deployments/common/nginx-config.yaml kind: ConfigMap apiVersion: v1 metadata: name: nginx-config namespace: nginx-ingress data: external-status-address: "127.0.0.1" --- # Source: kubernetes-ingress/deployments/common/vs-definition.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: virtualservers.k8s.nginx.org spec: group: k8s.nginx.org versions: - name: v1 served: true storage: true scope: Namespaced names: kind: VirtualServer plural: virtualservers singular: virtualserver shortNames: - vs preserveUnknownFields: false validation: openAPIV3Schema: description: VirtualServer defines the VirtualServer resource. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: VirtualServerSpec is the spec of the VirtualServer resource. type: object properties: host: type: string routes: type: array items: description: Route defines a route. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string errorPages: type: array items: description: ErrorPage defines an ErrorPage in a Route. type: object properties: codes: type: array items: type: integer redirect: description: ErrorPageRedirect defines a redirect for an ErrorPage. type: object properties: code: type: integer url: type: string return: description: ErrorPageReturn defines a return for an ErrorPage. type: object properties: body: type: string code: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string type: type: string matches: type: array items: description: Match defines a match. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string conditions: type: array items: description: Condition defines a condition in a MatchRule. type: object properties: argument: type: string cookie: type: string header: type: string value: type: string variable: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer path: type: string route: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer tls: description: TLS defines TLS configuration for a VirtualServer. type: object properties: redirect: description: TLSRedirect defines a redirect for a TLS. type: object properties: basedOn: type: string code: type: integer enable: type: boolean secret: type: string upstreams: type: array items: description: Upstream defines an upstream. type: object properties: buffer-size: type: string buffering: type: boolean buffers: description: UpstreamBuffers defines Buffer Configuration for an Upstream. type: object properties: number: type: integer size: type: string client-max-body-size: type: string connect-timeout: type: string fail-timeout: type: string healthCheck: description: HealthCheck defines the parameters for active Upstream HealthChecks. type: object properties: connect-timeout: type: string enable: type: boolean fails: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string interval: type: string jitter: type: string passes: type: integer path: type: string port: type: integer read-timeout: type: string send-timeout: type: string statusMatch: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean keepalive: type: integer lb-method: type: string max-conns: type: integer max-fails: type: integer name: type: string next-upstream: type: string next-upstream-timeout: type: string next-upstream-tries: type: integer port: type: integer queue: description: UpstreamQueue defines Queue Configuration for an Upstream. type: object properties: size: type: integer timeout: type: string read-timeout: type: string send-timeout: type: string service: type: string sessionCookie: description: SessionCookie defines the parameters for session persistence. type: object properties: domain: type: string enable: type: boolean expires: type: string httpOnly: type: boolean name: type: string path: type: string secure: type: boolean slow-start: type: string subselector: type: object additionalProperties: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean --- # Source: kubernetes-ingress/deployments/common/vsr-definition.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: virtualserverroutes.k8s.nginx.org spec: group: k8s.nginx.org versions: - name: v1 served: true storage: true scope: Namespaced names: kind: VirtualServerRoute plural: virtualserverroutes singular: virtualserverroute shortNames: - vsr preserveUnknownFields: false validation: openAPIV3Schema: type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: type: object properties: host: type: string subroutes: type: array items: description: Route defines a route. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string errorPages: type: array items: description: ErrorPage defines an ErrorPage in a Route. type: object properties: codes: type: array items: type: integer redirect: description: ErrorPageRedirect defines a redirect for an ErrorPage. type: object properties: code: type: integer url: type: string return: description: ErrorPageReturn defines a return for an ErrorPage. type: object properties: body: type: string code: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string type: type: string matches: type: array items: description: Match defines a match. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string conditions: type: array items: description: Condition defines a condition in a MatchRule. type: object properties: argument: type: string cookie: type: string header: type: string value: type: string variable: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer path: type: string route: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer upstreams: type: array items: description: Upstream defines an upstream. type: object properties: buffer-size: type: string buffering: type: boolean buffers: description: UpstreamBuffers defines Buffer Configuration for an Upstream. type: object properties: number: type: integer size: type: string client-max-body-size: type: string connect-timeout: type: string fail-timeout: type: string healthCheck: description: HealthCheck defines the parameters for active Upstream HealthChecks. type: object properties: connect-timeout: type: string enable: type: boolean fails: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string interval: type: string jitter: type: string passes: type: integer path: type: string port: type: integer read-timeout: type: string send-timeout: type: string statusMatch: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean keepalive: type: integer lb-method: type: string max-conns: type: integer max-fails: type: integer name: type: string next-upstream: type: string next-upstream-timeout: type: string next-upstream-tries: type: integer port: type: integer queue: description: UpstreamQueue defines Queue Configuration for an Upstream. type: object properties: size: type: integer timeout: type: string read-timeout: type: string send-timeout: type: string service: type: string sessionCookie: description: SessionCookie defines the parameters for session persistence. type: object properties: domain: type: string enable: type: boolean expires: type: string httpOnly: type: boolean name: type: string path: type: string secure: type: boolean slow-start: type: string subselector: type: object additionalProperties: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean --- # Source: kubernetes-ingress/deployments/common/ts-definition.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: transportservers.k8s.nginx.org spec: group: k8s.nginx.org versions: - name: v1alpha1 served: true storage: true scope: Namespaced names: plural: transportservers singular: transportserver kind: TransportServer shortNames: - ts preserveUnknownFields: false validation: openAPIV3Schema: description: TransportServer defines the TransportServer resource. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TransportServerSpec is the spec of the TransportServer resource. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string host: type: string listener: description: TransportServerListener defines a listener for a TransportServer. type: object properties: name: type: string protocol: type: string upstreamParameters: description: UpstreamParameters defines parameters for an upstream. type: object properties: udpRequests: type: integer udpResponses: type: integer upstreams: type: array items: description: Upstream defines an upstream. type: object properties: name: type: string port: type: integer service: type: string --- # Source: kubernetes-ingress/deployments/common/gc-definition.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: globalconfigurations.k8s.nginx.org spec: group: k8s.nginx.org versions: - name: v1alpha1 served: true storage: true scope: Namespaced names: plural: globalconfigurations singular: globalconfiguration kind: GlobalConfiguration shortNames: - gc preserveUnknownFields: false validation: openAPIV3Schema: description: GlobalConfiguration defines the GlobalConfiguration resource. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. type: object properties: listeners: type: array items: description: Listener defines a listener. type: object properties: name: type: string port: type: integer protocol: type: string --- # Source: kubernetes-ingress/deployments/common/global-configuration.yaml apiVersion: k8s.nginx.org/v1alpha1 kind: GlobalConfiguration metadata: name: nginx-configuration namespace: nginx-ingress --- # Source: kubernetes-ingress/deployments/daemon-set/nginx-ingress.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: nginx-ingress namespace: nginx-ingress spec: selector: matchLabels: app: nginx-ingress template: metadata: labels: app: nginx-ingress #annotations: #prometheus.io/scrape: "true" #prometheus.io/port: "9113" spec: serviceAccountName: nginx-ingress containers: - image: nginx/nginx-ingress:1.7.1 name: nginx-ingress ports: - name: http containerPort: 80 hostPort: 80 - name: https containerPort: 443 hostPort: 443 #- name: prometheus #containerPort: 9113 securityContext: allowPrivilegeEscalation: true runAsUser: 101 #nginx capabilities: drop: - ALL add: - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -v=3 # Enables extensive logging. Useful for troubleshooting. - -report-ingress-status - -external-service=nginx-ingress - -enable-leader-election #- -enable-prometheus-metrics - -global-configuration=$(POD_NAMESPACE)/nginx-configuration --- # Source: kubernetes-ingress/deployments/service/nodeport.yaml apiVersion: v1 kind: Service metadata: name: nginx-ingress namespace: nginx-ingress spec: #externalTrafficPolicy: Local #type: LoadBalancer type: NodePort ports: - port: 80 targetPort: 80 protocol: TCP name: http - port: 443 targetPort: 443 protocol: TCP name: https selector: app: nginx-ingress --- # kubectl delete namespace nginx-ingress # kubectl delete clusterrole nginx-ingress # kubectl delete clusterrolebinding nginx-ingress
③ 執行以上部署文件,等待部署完成,修改nginx-config,配置負載地址:
[root@k8s147 ~]# kubectl get pod -n nginx-ingress NAME READY STATUS RESTARTS AGE nginx-ingress-6m4nm 1/1 Running 1 9d nginx-ingress-d9b5r 1/1 Running 1 9d [root@k8s147 ~]# kubectl get svc -n nginx-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-ingress NodePort 10.104.157.46 <none> 80:30080/TCP,443:30443/TCP 9d [root@k8s147 ~]# kubectl get cm nginx-config -oyaml -n nginx-ingress apiVersion: v1 data: external-status-address: 10.88.88.147 kind: ConfigMap metadata: creationTimestamp: "2020-06-23T01:03:30Z" name: nginx-config namespace: nginx-ingress resourceVersion: "15026628" selfLink: /api/v1/namespaces/nginx-ingress/configmaps/nginx-config uid: b7cfa1c3-204a-4310-8859-096dcd3980ba [root@k8s147 ~]# kubectl edit cm nginx-config -n nginx-ingress Edit cancelled, no changes made.
更多參考 >>> ingress-nginx性能測試 HAProxy和NGINX性能進行基准測試
3) 如果你追求功能的全面,服務網絡的管理,那我推薦使用Istio。Istio開始就是與k8s結合設計的,可以說是一個非常牛逼的落地微服務架構,優點太多,缺點就是一句話 “老子學不動了!!!”。
四、不同場景配置
1、單服務 Ingress
現有的 Kubernetes 概念允許您暴露單個 Servic,你也可以通過指定無規則的 默認后端 來對 Ingress 進行此操作。
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: test-ingress spec: backend: serviceName: test-svc servicePort: 80
2、簡單分列
一個分列配置根據請求的 HTTP URI 將流量從單個 IP 地址路由到多個服務。
foo.bar.com -> 178.91.123.132 -> / foo service1:4200
/ bar service2:8080apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: simple-fanout-example annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: foo.bar.com http: paths: - path: /foo backend: serviceName: service1 servicePort: 4200 - path: /bar backend: serviceName: service2 servicePort: 8080
3、基於名稱的虛擬托管
基於名稱的虛擬主機支持將 HTTP 流量路由到同一 IP 地址上的多個主機名。
foo.bar.com --| |-> foo.bar.com service1:80
| 178.91.123.132 |
bar.foo.com --| |-> bar.foo.com service2:80apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: name-virtual-host-ingress spec: rules: - host: foo.bar.com http: paths: - backend: serviceName: service1 servicePort: 80 - host: bar.foo.com http: paths: - backend: serviceName: service2 servicePort: 80
注意:如果您創建的 Ingress 資源沒有規則中定義的任何主機(host),則可以匹配到你 Ingress 控制器 IP 地址的任何網絡流量,而無需基於名稱的虛擬主機。
4、TLS安全設置
你可以通過指定包含 TLS 私鑰和證書的 secret 來加密 Ingress, TLS Secret 必須包含名為 tls.crt 和 tls.key 的密鑰,這些密鑰包含用於 TLS 的證書和私鑰,例如:
apiVersion: v1 kind: Secret metadata: name: secret-tls namespace: default data: tls.crt: base64 encoded cert tls.key: base64 encoded key type: kubernetes.io/tls
或者,通過openssl工具生產證書,然后通過kubectl命令創建一個secret tls資源。
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=sslexample.foo.com" kubectl create secret tls secret-tls --key tls.key --cert tls.crt
另外,你需要確保創建的 TLS secret 來自包含 sslexample.foo.com 的公用名稱(CN)的證書,也被稱為全限定域名(FQDN)。
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: tls-example-ingress spec: tls: - hosts: - sslexample.foo.com secretName: secret-tls rules: - host: sslexample.foo.com http: paths: - path: / backend: serviceName: service1 servicePort: 80
5、查看訪問
我們可以通過 kubectl get 查看 ingress 資源列表
$ kubectl get ingress NAME HOSTS ADDRESS PORTS AGE simple-fanout-example foo.bar.com 203.0.113.123 80 59s
我們也可以通過 kubectl describe 查看 ingress 資源詳情
$ kubectl describe ingress simple-fanout-example Name: simple-fanout-example Namespace: default Address: 178.91.123.132 Default backend: default-http-backend:80 (10.8.2.3:8080) Rules: Host Path Backends ---- ---- -------- foo.bar.com /foo service1:4200 (10.8.0.90:4200) /bar service2:8080 (10.8.0.91:8080) Annotations: nginx.ingress.kubernetes.io/rewrite-target: / Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ADD 22s loadbalancer-controller default/test
最后我們可以通過 http協議 + 負載地址 + 控制器端口 + uri 訪問到服務。
curl -H 'foo.bar.com' http://203.0.113.123/foo/
五、我對Ingress性能測試
測試工具:wrk性能測試(詳解)
由於測試環境比較混亂,配置一般,所以測試結果不一定完全准確,僅供參數。
根據以上測試結果可以看出,kube-ingress性能存在較大的問題,雖然可以通過調節參數來實現性能優化,但是從各方面資料得知,依然與nginx存在較大差異。
而nginx-ingress效果就比較顯著,性能與原生nginx無太大差異。另外在部署方面,建議啟用daemon-set模式來平滑擴大控制器的副本到各個節點,以提高ingress的性能。
作者:Leozhanggg
出處:https://www.cnblogs.com/leozhanggg/p/13189173.html
本文版權歸作者和博客園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接,否則保留追究法律責任的權利。