1:環境
| 集群 | 版本 | 插件版本 |
|---|---|---|
| Kubernetes | 1.23.3 | 1.1.3 |
2:未配置
[root@k8s-master ingress]# cat demo.yaml
apiVersion: v1
kind: Namespace
metadata:
name: nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: nginx
spec:
type: ClusterIP
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
namespace: nginx
spec:
ingressClassName: nginx
rules:
- host: demo.kubernetes-devops.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
# 這里模擬一個隱私主頁,首先不打開認證,我們來看一下
[root@k8s-master ingress]# kubectl get pod,svc,ingress
NAME READY STATUS RESTARTS AGE
pod/nginx-9fbb7d78-zgpxk 2/2 Running 0 27m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 172.1.0.1 <none> 443/TCP 83d
service/nginx ClusterIP 172.1.238.14 <none> 80/TCP 27m
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/nginx nginx demo.kubernetes-devops.cn 10.0.0.12 80 27m
# 查看一下
3:配置Auth
這里可以看到,直接可以訪問到,接下里我們打開Auth認證模塊
# 在此之前我們需要先生成一個配置文件來創建一個secrets
[root@k8s-master ingress]# yum install -y httpd # 這里需要使用htpasswd
[root@k8s-master ingress]# mkdir auth
[root@k8s-master ingress]# cd auth/
[root@k8s-master auth]# htpasswd -c auth admin # htpasswd -c <filename> <useradmin>
New password: # 輸入密碼
Re-type new password: # 再次輸入密碼
Adding password for user admin
[root@k8s-master auth]# ls
auth # 此處生成文件
# 創建 secret
[root@k8s-master auth]# kubectl create secret generic auth --from-file=basic-auth
# kubectl create secret generic <secretname> --from-file=<htpasswd_name>
secret/basic-auth created
# 配置Ingress認證
[root@k8s-master ingress]# kubectl get secrets
NAME TYPE DATA AGE
auth Opaque 1 70s
[root@k8s-master ingress]# cat demo.yaml
...
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
annotations:
nginx.ingress.kubernetes.io/auth-type: basic # 開啟basic認證
nginx.ingress.kubernetes.io/auth-secret: auth # 寫入secretname
nginx.ingress.kubecnetes.io/auth-realm: 'Authentication Required - foo'
spec:
ingressClassName: nginx
rules:
- host: demo.kubernetes-devops.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
# 部署
[root@k8s-master ingress]# kubectl apply -f demo.yaml
deployment.apps/nginx unchanged
service/nginx unchanged
ingress.networking.k8s.io/nginx configured
# 測試如下
賬號:htpasswd時配置的賬號
密碼:自己htpasswd的時候配置的密碼
# 第一種
[root@k8s-master ingress]# curl -X GET http://admin:123@demo.kubernetes-devops.cn:32581 -I
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2022 15:53:37 GMT
Content-Type: text/html
Content-Length: 615
Connection: keep-alive
last-modified: Tue, 28 Dec 2021 18:48:00 GMT
etag: "61cb5be0-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 0
x-envoy-decorator-operation: nginx.default.svc.cluster.local:80/*
# 第二種
[root@k8s-master ingress]# curl -u admin:123 -X GET http://admin:123@demo.kubernetes-devops.cn:32581 -I
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2022 15:54:45 GMT
Content-Type: text/html
Content-Length: 615
Connection: keep-alive
last-modified: Tue, 28 Dec 2021 18:48:00 GMT
etag: "61cb5be0-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 1
x-envoy-decorator-operation: nginx.default.svc.cluster.local:80/*
4:配置SSL訪問
首先我們需要有證書的pem和key
[root@k8s-master ssl]# ls
server.key server.pem
創建TLS secret
[root@k8s-master ssl]# kubectl get secrets
NAME TYPE DATA AGE
---
nginx-ssl kubernetes.io/tls 2 6s
讓后在Nginx引用
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: auth
nginx.ingress.kubecnetes.io/auth-realm: 'Authentication Required - foo'
spec:
ingressClassName: nginx
tls:
- hosts:
- demo.kubernetes-devops.cn
secretName: nginx-ssl
rules:
- host: demo.kubernetes-devops.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
部署測試
[root@k8s-master ingress]# kubectl apply -f demo.yaml
deployment.apps/nginx unchanged
service/nginx unchanged
ingress.networking.k8s.io/nginx configured
[root@k8s-master ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 172.1.106.113 <none> 80:32581/TCP,443:32308/TCP 5d
ingress-nginx-controller-admission ClusterIP 172.1.3.220 <none> 443/TCP 5d
因為這里開啟了SSL 所以我們要訪問Ingress映射的443端口了
[root@k8s-master ingress]# curl -X GET https://admin:123@demo.kubernetes-devops.cn:32308 -I
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2022 16:10:18 GMT
Content-Type: text/html
Content-Length: 615
Connection: keep-alive
last-modified: Tue, 28 Dec 2021 18:48:00 GMT
etag: "61cb5be0-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 0
x-envoy-decorator-operation: nginx.default.svc.cluster.local:80/*
Strict-Transport-Security: max-age=15724800; includeSubDomains
[root@k8s-master ingress]# curl -u admin:123 -X GET https://demo.kubernetes-devops.cn:32308 -I
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2022 16:10:43 GMT
Content-Type: text/html
Content-Length: 615
Connection: keep-alive
last-modified: Tue, 28 Dec 2021 18:48:00 GMT
etag: "61cb5be0-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 1
x-envoy-decorator-operation: nginx.default.svc.cluster.local:80/*
Strict-Transport-Security: max-age=15724800; includeSubDomains
