一、概述
Ingress-nginx:它是由Kubernetes社區基於Nginx Web服務器開發的,並補充了一組用於實現額外功能的Lua插件,作為“官方”默認控制器支持當然最優。
Github:https://github.com/kubernetes/ingress-nginx
說明文檔:https://kubernetes.github.io/ingress-nginx/deploy/
Nginx-ingress:這是Nginx官方社區開發產品,Nginx ingress具有很高的穩定性,持續的向后兼容性,沒有任何第三方模塊,並且由於消除了Lua代碼而保證了較高的速度。
Github:https://github.com/nginxinc/kubernetes-ingress
說明文檔:https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/
差異對比:
更多詳情:https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/nginx-ingress-controllers.md
二、自定義配置
Ingress-nginx:
apiVersion: v1 kind: ConfigMap metadata: labels: helm.sh/chart: ingress-nginx-2.13.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.35.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: proxy-connect-timeout: 5 proxy-read-timeout: 60 client-body-buffer-size: "8k" worker-processes: "4" max-worker-connections: 16384
更多公共配置參考:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
特定Ingress配置:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
Nginx-ingress:
apiVersion: v1 metadata: name: nginx-config namespace: nginx-ingress data: proxy-connect-timeout: "60s" proxy-read-timeout: "60s" client-max-body-size: "80m" worker-processes: "4" worker-connections: "10240" external-status-address: "10.88.88.108"
常用配置說明:
proxy-connect-timeout: 定義與代理服務器建立連接的超時,默認60s。請注意,此超時通常不能超過75秒。
proxy-read-timeout: 定義用於從代理服務器讀取響應的超時,默認60s。超時僅在兩次連續的讀取操作之間設置,而不用於傳輸整個響應。
如果代理服務器在此時間內未傳輸任何內容,則連接將關閉。
client-max-body-size: 設置客戶端請求正文的最大允許大小,默認1m,在“ Content-Length”請求標頭字段中指定。
如果請求中的大小超過配置的值,則會向客戶端返回413(請求實體太大)錯誤。
請注意,瀏覽器無法正確顯示此錯誤。設置size為0將禁用客戶端請求主體大小的檢查。
worker-processes: 定義工作進程數。最佳值取決於許多因素,包括(但不限於)CPU內核數,存儲數據的硬盤驅動器數以及加載模式。
如有疑問,將其設置為可用的CPU內核數將是一個不錯的開始(默認值“auto”將嘗試自動檢測)。worker-connections: 設置工作進程可以打開的最大同時連接數,默認1024。
應當記住,該數目包括所有連接(例如,與代理服務器的連接等),而不僅包括與客戶端的連接。
另一個需要考慮的因素是,並發連接的實際數量不能超過打開文件最大數量的當前限制,可以通過worker_rlimit_nofile進行更改 。external-status-address: 設置要在Ingress資源狀態下負載的地址,需要-report-status命令行參數,並且將覆蓋-external-service參數。
三、資源定義
1) 同一域名,不同URL被轉發不同服務
Ingress-nginx:
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ymtapi namespace: ymt annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: k8s.ymtapi.org http: paths: - path: /wxapi backend: serviceName: apprestserver servicePort: 8114 - path: /api backend: serviceName: appsocialmanservice servicePort: 8113
Nginx-ingress:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ymtapi namespace: ymt annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: k8s.ymtapi.org http: paths: - path: /wxapi backend: serviceName: apprestserver servicePort: 8114 - path: /api backend: serviceName: appsocialmanservice servicePort: 8113
2) 不同域名被轉發不同服務
Ingress-nginx:
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: prometheus namespace: monitoring annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: k8s.grafana.com http: paths: - path: / backend: serviceName: grafana servicePort: 3000 - host: k8s.prometheus.com http: paths: - path: / backend: serviceName: prometheus-k8s servicePort: 9090 - host: k8s.alertmanager.com http: paths: - path: / backend: serviceName: alertmanager-main servicePort: 9093
Nginx-ingress:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: prometheus namespace: monitoring spec: rules: - host: k8s.grafana.com http: paths: - path: / backend: serviceName: grafana servicePort: 3000 - host: k8s.prometheus.com http: paths: - path: / backend: serviceName: prometheus-k8s servicePort: 9090 - host: k8s.alertmanager.com http: paths: - path: / backend: serviceName: alertmanager-main servicePort: 9093
3)不使用域名的轉發
Ingress-nginx:
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ymtapi namespace: ymt annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - http: paths: - path: /WxTransWeb backend: serviceName: wxtransweb servicePort: 8080
Nginx-ingress:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ymtapi namespace: ymt annotations: kubernetes.io/ingress.class: "nginx" nginx.org/server-snippets: "server_name ~^.*$;" spec: rules: - host: k8s.ymtapi.org http: paths: - path: /WxTransWeb backend: serviceName: wxtransweb servicePort: 8080
注意:Nginx-ingress要求host必須存在,也就是必須使用域名,如果想直接使用IP訪問,則只能通過設置"server_name ~^.*$;"實現,即同時支持域名和IP訪問,但是僅能設置一個Ingress。
Github issue:https://github.com/nginxinc/kubernetes-ingress/issues/209#issuecomment-581691384
4)基於TLS的安全設置
Ingress-nginx:
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: dashboard namespace: kubernetes-dashboard annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: tls: - hosts: - k8s.dashboard.com secretName: tls-secret rules: - host: k8s.dashboard.com http: paths: - path: / backend: serviceName: kubernetes-dashboard servicePort: 443
Nginx-ingress:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: dashboard namespace: kubernetes-dashboard annotations: nginx.org/redirect-to-https: "true" ingress.kubernetes.io/ssl-redirect: "true" nginx.org/ssl-services: "kubernetes-dashboard" spec: tls: - hosts: - k8s.dashboard.com secretName: tls-secret rules: - host: k8s.dashboard.com http: paths: - path: / backend: serviceName: kubernetes-dashboard servicePort: 443
作者:Leozhanggg
出處:https://www.cnblogs.com/leozhanggg/p/13603215.html
本文版權歸作者和博客園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接,否則保留追究法律責任的權利。