目錄
1、ingress種類
1、Nginx Ingress:實時將ingress配置清單的內容轉變成nginx配置,類似動態nginx配置
2、treafik:原生支持k8s
3、istio:服務網格,解決問題:服務治理,流量策略轉發,流量安全認證。超大型公司使用,超大流量,維護成本很高
2、ingress nginx
ingress主要作用
service主要作用:提供負載均衡
ingress主要作用:提供域名轉發集群流量入口
ingress nginx工作原理
根據ingress配置清單,實時生成Nginx配置,並且使其生效,之后通過nginx反向代理轉發流量到pod中。
Nginx配置文件:vi /etc/nginx/nginx.conf
nginx ingress : 性能強
traefik :原生支持k8s
istio : 服務網格,服務流量的治理
ingress:“反向代理”的一種抽象,簡單的說就是一個全局的負載均衡器,可以通過訪問URL定位到后端的Service
原理:根據ingress配置清單,實時生成Nginx配置,並且使其生效,之后通過nginx反向代理轉發流量到pod中。
https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal-clusters
官方下載部署ingress nginx
官方下載的鏡像拉不下來,需要想辦法
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/baremetal/deploy.yaml
[root@sg-14 ingress]# cat deploy.yaml |grep image
image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
imagePullPolicy: IfNotPresent
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
#####k8s.gcr.io鏡像會下載失敗,替換
部署:kubectl apply -f deploy.yaml
# 下載
wget kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml
329行spec下加一行:hostNetwork:true
332行修改阿里雲image鏡像:
阿里雲鏡像首頁:http://dev.aliyun.com/去搜索ingress-nginx鏡像
下載安裝ingress-測試通過
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.19.0/deploy/mandatory.yaml
kubectl apply -f mandatory.yaml
檢查:kubectl get pods -n ingress-nginx -o wide
詳情:kubectl describe -n ingress-nginx svc default-http-backend
ingress部署
ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: service ## 指定service
servicePort: 80
- host: www.abc.com
http:
paths:
- path: /
backend:
serviceName: service_svc ## 指定service
servicePort: 80
service部署一個測試service將端口暴露出去
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 80
protocol: "TCP"
- name: https
port: 443
targetPort: 443
protocol: "TCP"
pod部署一個測試nginx
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app: nginx
spec:
containers:
- name: nginx
image: ngin
從ingress到pod的流程
從ingress到pod的流程:
ingress ---> endprints(HeadLess Service無頭CluserIP service) ---> pod
訪問
添加本地hosts文件
192.168.0.214 www.test.com
訪問:
192.168.0.214:31220
www.test.com:31220 都可以正常訪問
3、模擬本地創建https證書
官方文檔
https://kubernetes.github.io/ingress-nginx/user-guide/tls/
1、創建HTTPS證書
openssl genrsa -out tls.key 2048 //創建私鑰
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com //創建證書
2、部署證書
kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key
secret/ingress-tls created // 添加到secret資源
驗證:
[root@sg-14 TLS]# kubectl get secrets -n ingress-nginx
NAME TYPE DATA AGE
default-token-bx64d kubernetes.io/service-account-token 3 4h12m
ingress-tls kubernetes.io/tls 2 81s
nginx-ingress-serviceaccount-token-tqb48 kubernetes.io/service-account-token 3 4h12m
3、創建Ingress
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- www.test.com
- secretName: ingress-tls # secret名字
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
4、查看ingress暴露的443端口
[root@sg-14 ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
nginx NodePort 192.163.51.88 <none> 80:31220/TCP,443:30306/TCP 6h13m
5、瀏覽器訪問
https://www.test.com:30306/
4、nginx ingress常用語法
官方文檔
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#permanent-redirect
域名重定向
# 域名重定向(不能重定向 / )
nginx.ingress.kubernetes.io/rewrite-target
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=nginx
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
設置ingress白名單
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.15.53,192.168.15.52
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
使用正則的方式匹配
# 使用正則的方式匹配(支持的正則比較少)
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=$1
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /search/(.+)
backend:
serviceName: wordpress-nginx
servicePort: 80
# nginx登錄
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
5、設置ingress nginx常用用法的方式
有兩種方式:
1、注解 : 當前ingress生效
2、configMap : 全局ingress生效
詳細介紹見官方文檔:
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/