一、Ingress簡介
1.1 service的作用
1.對集群內部,它不斷跟蹤pod的變化,更新endpoint中對應pod的對象,提供了ip不斷變化的pod的服務發現機制
2.對集群外部,他類似負載均衡器,可以在集群內外部對pod進行訪問
1.2 外部訪問k8s集群內的服務
1.NodePort:測試環境使用還行,當有幾十上百的服務在集群中運行時,NodePort的端口管理就是個災難
2.LoadBalancer:受限於雲平台,且通常在雲平台部署LoadBalancer還需要額外的費用
3.Ingress:可以簡單理解為service的service,它其實就是一組基於域名和URL路徑,把用戶的請求轉發到一個或多個service的規則
二、Ingress組成
2.1 ingress
1.ingress是一個APr對象,通過yaml文件來配置,ingress對象的作用是定義請求如何轉發到service的規則,可以理解為配置模板
2.ingress通過http或https暴露集群內部service,給service提供外部URL、負載均衡、SSL/TLs能力以及基於域名的反向代理。ingress要依靠ingress-controller來具體實現以上功能
2.2 ingress-controller
1.ingress-controller是具體實現反向代理及負載均衡的程序,對ingress定義的規則進行解析,根據配置的規則來實現請求轉發
2.ingress -controller並不是kes自帶的組件,實際上ingress-controller只是一個統稱,用戶可以選擇不同的ingress-controller實現,目前,由k8s維護的ingress-controller只有google雲的ccz與ingress-nginx兩個,其他還有很多第三方維護的ingres-controller,具體可以參考官方文檔。但是不管哪一種ingress-controller,實現的機制都大同小異,只是在具體配置上有差異
3.一般來說,ingress-controller的形式都是一個pod,里面跑着daemon程序和反向代理程序。daemcn負責不斷監控集群的變化,根據ingress對象生成配置並應用新配置到反向代理,比如ingress -nginx就是動態生成nginx配置,動態更新upstrea,並在需要的時候reloada程序應用新配置。為了方便,后面的例子都以k8s官方維護的ingress-nginx為例
4.Ingress-Nginx github 地址:https://github.com/kubernetes/ingress-nginx
Ingress-Nginx官方網站:https:/kubernetes.github.io/ingress-nginx/
5.總結: ingress-controller才是負責具體轉發的組件,通過各種方式將它暴露在集群入口,外部對集群的請求流量會先到
三、Ingress工作原理
1.ingress-controller通過和 kubernetes APIServer 交互,動態的去感知集群中ingress規則變化
2.然后讀取它,按照自定義的規則,規則就是寫明了哪個域名對應哪個service,生成一段nginx配置
3.再寫到nginx-ingress-controller的pod里,這個ingress-controller的pod里運行着一個nginx服務,控制器會把生成的nginx配置寫入/etc/nginx.conf文件中
4.然后reload一下使配置生效。以此達到域名區分配置和動態更新的作用
四、部署nginx-ingress-controller
4.1 部署ingress-controller pod及相關資源
1.mkdir /opt/ingress 2.cd /opt/ingress ========================================================== 官方下載地址: wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.25.0/deploy/static/mandatory.yaml 上面可能無法下載,可用國內的gitee 3.wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.25.0/deploy/static/mandatory.yaml wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/mandatory.yaml #mandatory.yaml文件中包含了很多資源的創建,包括namespace、configMap、role,ServiceAccount等等所有部署ingress-controller需要的資源 
4.2 修改clusterRole資源配置
vim mandatory.yaml .... - apiGroups: - "" resources: -services verbs: - get - list - watch - apiGroups: - "extensions" - "networking.k8s.io"#增加(0.25版本) resources: - ingresses verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" - "networking.k8s.io"#增加(o.25版本) resources: - ingresses/ status verbs: - update 
五、ingress暴露服務的方式
1.Deployment+LoadBalancer模式的Service
如果要把ingress部署在公有雲,那用這種方式比較合適。用Deployment部署ingress-controller,創建一個type為 LoadBalancer的 service關聯這組pod。大部分公有雲,都會為 LoadBalancer的 service自動創建一個負載均衡器,通常還綁定了公網地址。只要把域名解析指向該地址,就實現了集群服務的對外暴露 2.DaemonSet+HostNetwork+nodeselector
用DaemonSet結合nodeselector來部署ingress-controller到特定的node 上,然后使用Hostiletwork直接把該pod與宿主機node的網絡打通,直接使用宿主機的80/433端口就能訪問服務。這時,ingress-controller所在的node機器就很類似傳統架構的邊緣節點,比如機房入口的nginx服務器。該方式整個請求鏈路最簡單,性能相對NodePort模式更好。缺點是由於直接利用宿主機節點的網絡和端口,一個node只能部署一個ingress-controller pod。比較適合大並發的生產環境使用
3.Deployment+NodePort模式的Service
1)同樣用deployment模式部署ingres-controller,並創建對應的服務,但是type為NodePort。這樣,ingress就會暴露在集群節點ip的特定端口上 2)由於nodeport暴露的端口是隨機端口,一般會在前面再搭建一套負載均衡器來轉發請求。該方式一般用於宿主機是相對固定的環境ip地址不變的場景 3)NodePort方式暴露ingress雖然簡單方便,但是NodePort多了一層NAT,在請求量級很大時可能對性能會有一定影響 六、采用方式二:DaemonSet+HostNetwork+nodeselector
6.1 指定nginx-ingress-controller運行在node02節點
kubectl label node node02 ingress=true kubectl get nodes --show-labels 
6.2 修改Deployment為Daemonset,指定節點運行,並開啟 hostNetwork
vim mandatory.yaml ... apiversion: apps/vl kind: Daemonset #修改kind ... hostNetwork: true #使用主機網絡 nodeSelector: ingress: "true" #選擇節點運行 ... 
6.3 所有node節點上傳nginx-ingress-controller鏡像壓縮包ingree.contro.tar.gz.到/opt/ingress目錄,並解壓和加載鏡像
mkdir /opt/ingress cd /opt/ingress tar zxvf ingree.contro.tar.gz docker load -i ingree.contro.tar 
6.4 啟動nginx-ingress-controller
#主節點 kubectl apply -f mandatory.yaml kubectl get pod -n ingress-nginx -o wide 
到node02節點查看
netstat -natp | grep nginx ========================================================== 由於配置了hostnetwork, nginx已經在 node主機本地監聽團/443/8181端口。其中 8181 是nginx-controller默認配置的一個defaultbackend (Ingress資源沒有匹配的 rule 對象時,流量就會被導向這個default backend) 這樣,只要訪問 node主機有公網 TP,就可以直接映射域名來對外網暴露服務了。如果要nginx高可用的話,可以在多個node39上部署,並在前面再搭建一套LVS+keepalive做負載均衡。 
6.5 創建ingress規則
6.5.1 創建一個deployment和svc
在主節點創建 vim service-nginx.yaml ========================================================== apiVersion: apps/v1 kind: Deployment metadata: labels: run: nginx-app name: nginx-app spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx name: nginx-app ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata : name: nginx-service spec: type: ClusterIP ports : - port: 7777 targetPort: 80 selector : app: nginx ========================================================== kubectl apply -f service-nginx.yaml kubectl get pod,svc 
6.5.2 創建ingress
vim ingress-1.yaml ========================================================== apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-ingress spec: rules: - host: www.gxd.com http: paths: - path: / backend: serviceName: nginx-service #指定你創建的svc的名稱 servicePort: 80 ========================================================== kubectl apply -f ingress-1.yaml kubectl get pod,svc,ingress 
6.6 做端口映射並訪問測試
echo '192.168.10.30 www.gxd.com' >> /etc/hosts curl www.gxd.com 
6.7 查看nginx-ingress-controller
kubectl get pod -n ingress-nginx -o wide kubectl exec -it nginx-ingress-controller-k5vvf -n ingress-nginx bash 
七、采用方式三:Deployment+NodePort模式的Service
7.1 下載nginx-ingress-controller和ingress-nginx暴露端口配置文件
在主節點
mkdir /opt/ingress-nodeport
cd /opt/ingress-nodeport
官方下載地址:
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml 國內 gitee 資源地址: wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/mandatory.yaml wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml 
7.2 在所有node節點上傳鏡像包ingress-controller-0.30.0.tar到/opt/ingress-nodeport目錄,並加載鏡像
在所有node節點 mkdir /opt/ingress-nodeport cd /opt/ingress-nodeport tar zxvf ingree.contro-0.30.0.tar.gz docker load -i ingree.contro-0.30.0.tar 
7.3 啟動nginx-ingress-controller
kubectl apply -f mandatory.yaml kubectl apply -f service-nodeport.yaml 
7.4 創建deployment、service和ingress的yaml資源
vim ingress-nginx.yaml ========================================================== apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-app spec: replicas: 2 template: metadata: labels: name: nginx spec: containers: - name: nginx image: nginx imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: nginx-svc spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-test spec: rules: - host: www.gxd111.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80 ==========================================================kubectl apply -f ingress-nginx.yaml kubectl get pod,svc,ingress -owide 
7.5 做端口映射並訪問測試
echo '192.168.10.30 www.gxd111.com' >> /etc/hosts curl www.gxd111.com 
八、ingress http代理訪問虛擬主機
mkdir /opt/ingress-nodeport/vhost cd /opt/ingress-nodeport/vhost ========================================================== #創建虛擬主機1資源 vim demo1.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment1 spec: replicas: 2 template: metadata: labels: name: nginx1 spec: containers: - name: nginx1 image: nginx ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc-1 spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: name: nginx1 type: ClusterIP ========================================================== #創建虛擬主機2資源 vim demo2.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment2 spec: replicas: 2 template: metadata: labels: name: nginx2 spec: containers: - name: nginx2 image: nginx ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc-2 spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: name: nginx2 type: ClusterIP ========================================================== 創建ingress資源 vim ingress-nginx.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress1 spec: rules: - host: www1.gxd.com http: paths: - path: / backend: serviceName: svc-1 servicePort: 80 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress2 spec: rules: - host: www2.gxd.com http: paths: - path: / backend: serviceName: svc-2 servicePort: 80 ========================================================== kubectl apply -f demo1.yaml kubectl apply -f demo2.yaml kubectl apply -f ingress-nginx.yaml kubectl get pod,svc,ingress 
echo '192.168.10.30 www1.gxd.com ' >> /etc/hosts echo '192.168.10.30 www2.gxd.com ' >> /etc/hosts curl www1.gxd.com:31396 curl www2.gxd.com:31396 
九、ingress https代理訪問
9.1 創建工作目錄
mkdir /opt/ingress-nodeport/https cd /opt/ingress-nodeport/https 9.2 創建ssl證書
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginXsvc/O=nginxsvc" 
9.3 創建secret資源進行存儲
kubectl create secret tls tls-secret --key tls.key --cert tls.crt kubectl get secret kubectl describe secret tls-secret 
9.4 創建deployment、service和ingress的yaml資源
vim demo3.yaml ========================================================== apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-app spec: replicas: 2 template: metadata: labels: name: nginx spec: containers: - name: nginx image: nginx imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc-3 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress3 spec: tls: - hosts: - www.gxd222.com secretName: tls-secret rules: - host: www.gxd222.com http: paths: - path: / backend: serviceName: svc-3 servicePort: 80 ==========================================================kubectl apply -f demo3.yaml kubectl get pod,svc,ingress 
9.5 做端口映射並訪問測試
echo '192.168.10.30 www.gxd222.com' >> /etc/hosts 在瀏覽器訪問 https://www.gxd222.com:31067 點擊高級選項,確認安全例外即可 
十、nginx進行BasicAuth(訪問前輸入用戶和密碼)
10.1 創建工作目錄
mkdir /opt/ingress-nodeport/basic-auth cd /opt/ingress-nodeport/basic-auth 10.2 生成用戶密碼文件,創建secret資源進行存儲
yum install -y httpd htpasswd -c auth gxd kubectl create secret generic basic-auth --from-file=auth kubectl get secret kubectl describe secret basic-auth 
10.3 創建ingress資源
//具體詳細設置方法可參考官網https://kubernetes.github.io/ingress-nginx/examples/auth/basic/ vim ingress-auth.yaml ========================================================== apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-auth annotations: #設置認證類型basic nginx.ingress.kubernetes.io/auth-type: basic #設置secret資源名稱basic-auth nginx.ingress.kubernetes.io/auth-secret: basic-auth #設置認證窗口提示信息 nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - gxd' spec: rules: - host: auth.gxd.com http: paths: - path: / backend: serviceName: svc-2 #之前指定創建過的svc servicePort: 80 ========================================================== kubectl apply -f ingress-auth.yaml kubectl get ingress 
10.4 做端口映射並訪問測試
echo '192.168.10.30 auth.gxd.com' >> /etc/hosts 在瀏覽器訪問 http://auth.gxd.com:31396 
十一、nginx進行重寫
11.1 配置說明
nginx.ingress.kubernetes.io/rewrite-target:<字符串>#必須重定向流量的目標URI nginx.ingress . kubernetes.io/ssl-redirect:<布爾值>指示位置部分是否僅可訪問sSL(當Ingress包含證書時,默認為true)nginx.ingress . kubernetes.io/force-ssl-redirect:<布爾值>#即使Ingress未啟用rLS,也強制重定向到HTTPS nginx.ingress .kubernetes.io/app-root:<字符串>#定義controller必須重定向的應用程序根,如果它在'/'上下文中·nginx.ingress, kubernetes.io/use-regex:<布爾值>#指示Ingress.上定義的路徑是否使用正則表達式 11.2 編寫yaml文件
vim ingress-rewrite.yaml ========================================================== apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-rewrite annotations: nginx.ingress.kubernetes.io/rewrite-target: http://auth.gxd.com:31396 spec: rules: - host: rewrite.gxd.com http: paths: - path: / backend: serviceName: ggggg #由於rewrite.gxd.com只是用於跳轉不需要真實站點存在,因此svc資源名稱可隨意定義 servicePort: 1111 ========================================================== kubectl apply -f ingress-rewrite.yaml kubectl get ingress 
11.3 做端口映射並訪問測試
echo '192.168.10.30 rewrite.gxd.com' >> /etc/hosts 在瀏覽器訪問 http://rewrite.gxd.com 
