kubernetes-ingress-nginx-controller资源-用于管理和处理集群中的 Ingress 资源
ingress-nginx-controller 是一个常用的 Kubernetes Ingress 控制器,它基于 NGINX 实现,主要用于管理和处理集群中的 Ingress 资源。
Ingress 资源是 Kubernetes 中的一种网络入口资源,用于将外部流量路由到集群内部的服务
ingress-nginx-controller 的功能作用
流量管理和路由
# 1、管理外部流量:
- ingress-nginx-controller 接收并管理外部到达 Kubernetes 集群的 HTTP 和 HTTPS 请求,根据 Ingress 规则将流量路由到对应的服务。
# 2、基于域名和路径的路由:
- 通过定义 Ingress 资源,可以根据请求的域名(host)和 URL 路径(path)将请求路由到不同的服务。
spec:
rules:
- host: example.com
http:
paths:
- path: /foo
backend:
service:
name: foo-service
port:
number: 80
- path: /bar
backend:
service:
name: bar-service
port:
number: 80
#在上面的例子中,ingress-nginx-controller 会将 example.com/foo 的请求路由到 foo-service,将 example.com/bar 的请求路由到 bar-service。
1.2 负载均衡
# 1、提供负载均衡功能:
- ingress-nginx-controller 能够将请求分发到集群内的多个后端 Pod,提供负载均衡功能,提高服务的可用性和扩展性。
安全和认证
#HTTPS/TLS 终止:
- ingress-nginx-controller 可以管理 SSL/TLS 证书,提供 HTTPS 终止,确保请求在到达后端服务前已经过加密处理和解密。
spec:
tls:
- hosts:
- example.com
secretName: example-tls-secret
#这段配置说明 example.com 域名使用了 example-tls-secret 中的证书来处理 HTTPS 请求。
#身份验证和授权:
- 支持各种认证机制,如 Basic Auth、OAuth 等,可以对进入的流量进行身份验证和访问控制。
应用层网关
# 应用层代理:
- ingress-nginx-controller 作为一个应用层代理,可以处理复杂的应用层逻辑,例如路径重写、请求头修改等。
#这段配置示例表示所有请求将被重写到 /,实现路径重写功能。
- nginx.ingress.kubernetes.io/rewrite-target: /
#请求头操作:
- 可以修改请求头信息,添加、删除或替换请求头,方便实现某些业务逻辑和安全策略。
日志和监控
日志记录:
ingress-nginx-controller 提供详细的访问日志和错误日志,便于对流量进行监控和分析,帮助快速定位和解决问题。
监控指标:
提供 Prometheus 兼容的监控指标,可以用于集成到监控系统中,实时监控流量情况和服务性能。
架构与工作原理
2.1 架构
Controller 部分:
监听 Kubernetes API Server,监控 Ingress 资源的变化。根据 Ingress 资源的定义,动态生成 NGINX 配置。
NGINX 部分:
运行在集群内部,负责实际处理请求。通过 ingress-nginx-controller 动态生成的 NGINX 配置文件来管理流量。
2.2 工作流程
定义 Ingress 资源:
用户在 Kubernetes 集群中定义 Ingress 资源,指定规则和目标服务。
Controller 监控资源:
ingress-nginx-controller 监听 Ingress 资源的变化,根据规则生成或更新 NGINX 配置文件。
NGINX 处理请求:
NGINX 使用生成的配置文件,处理外部请求并将其路由到相应的服务。
动态更新:
当 Ingress 资源发生变化时,ingress-nginx-controller 会自动更新 NGINX 配置,实现流量的无缝转发。
以下是一个简单的 ingress-nginx 使用示例,它定义了一个基本的 HTTP 路由规则:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
#在这个示例中,ingress-nginx-controller 将会:
监听 Ingress 资源 example-ingress。
当请求域名为 example.com 时,将请求转发到名为 example-service 的服务。
开发环境下:ingress-deploy.yaml
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount # 创建 SA,用于 IngressContainer 和 kube-apiServer 进行认证
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role # 设置集群角色策略,是否允许对 ingress-container 中的资源-resources(pod、configmaps等)进行用户授权
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources: #资源
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups: #用于指定哪些API组中的资源可以被访问
- "" #当""为空时可以访问所有的api资源
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups: #用于指定哪些API组中的资源可以被访问
- discovery.k8s.io #只想允许访问特定API组的资源:discovery.k8s.io
resources:
- endpointslices #表示角色可以访问endpointslices资源
verbs: #这一部分定义了角色可以对上述资源执行的动作
- list #允许角色列出所有endpointslices资源
- watch #允许角色监视endpointslices资源的更改。当资源发生变化时,角色会收到通知
- get #允许角色获取单个endpointslices资源的详细信息
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding #绑定上面定义的角色Role权限
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
compute-full-forwarded-for: "true"
forwarded-for-header: X-Forwarded-For
use-forwarded-headers: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
annotations:
service.cloud.tencent.com/local-svc-weighted-balance: "true"
service.kubernetes.io/local-svc-only-bind-node-with-pod: "true"
service.kubernetes.io/tke-existed-lbid: xxxxxx # 修改成CLB的id
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
loadBalancerIP: 10.142.47.22
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
spec:
imagePullSecrets:
- name: docker-secret
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: ccr.gpdc.cloud.cn/library-images/nginx-ingress-controller:v1.8.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission-create #ingress-nginx-admission 是 Kubernetes Ingress-Nginx 控制器的一个插件,其作用是验证使用该控制器创建的 Ingress 对象的配置是否正确,并确保它们可以成功部署和运行。
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission-create
spec:
imagePullSecrets:
- name: docker-secret
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ccr.gpdc.cloud.cn/library-images/kube-webhook-certgen:v20230407
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission-patch #ingress-nginx-admission 是 Kubernetes Ingress-Nginx 控制器的一个插件,其作用是验证使用该控制器创建的 Ingress 对象的配置是否正确,并确保它们可以成功部署和运行。
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission-patch
spec:
imagePullSecrets:
- name: docker-secret
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ccr.gpdc.cloud.cn/library-images/kube-webhook-certgen:v20230407
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass #通过它来识别ingress
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration #用于配置 Admission Controller 中的 Validating Webhook,从而对 Kubernetes API 对象进行验证(validation)
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.1
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
再创建一个 ingress-rule.yaml 来配置 ingress-nginx-controller 的路由规则
apiVersion: networking.k8s.io/v1 #表示这是一个 Ingress 资源,并使用了 Kubernetes 网络 API v1 版本
kind: Ingress #kind: 定义了资源的类型。在这里是 Ingress,用来管理外部 HTTP 和 HTTPS 流量并将其路由到集群内部的服务。
metadata:
annotations: #注释提供了对 NGINX Ingress 控制器的一些额外配置。
kubernetes.io/ingress.class: nginx #指定了使用的 Ingress 控制器类。在这里使用的是 nginx Ingress 控制器。通过这个注释,Kubernetes 知道该 Ingress 资源应由 NGINX Ingress 控制器来处理。
nginx.ingress.kubernetes.io/cors-allow-methods: '*' #配置允许的 HTTP 方法,用于跨域资源共享(CORS)。'*' 表示允许所有 HTTP 方法。
nginx.ingress.kubernetes.io/cors-allow-origin: '*' #配置允许的跨域来源。'*' 表示允许所有来源,可以访问资源。这是一个非常开放的设置,意味着任何域都可以访问该服务。
nginx.ingress.kubernetes.io/enable-cors: "true" #启用 CORS(跨域资源共享)。设置为 "true" 表示开启 CORS 功能
nginx.ingress.kubernetes.io/proxy-body-size: 1024m #配置允许的请求体的最大大小。1024m 表示允许最大 1024MB 的请求体。这对于上传大文件的应用非常有用。
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30" #配置与上游服务器建立连接的超时时间。30 秒内未建立连接则会超时
nginx.ingress.kubernetes.io/proxy-read-timeout: "600" #配置从上游服务器读取数据的超时时间。600 秒内未收到数据则会超时。这是读取整个请求的超时时间。
nginx.ingress.kubernetes.io/proxy-send-timeout: "600" #配置发送数据到上游服务器的超时时间。600 秒内未完成发送数据则会超时
nginx.ingress.kubernetes.io/send-timeout: "600" #配置发送数据到客户端的超时时间。600 秒内未完成数据发送则会超时
nginx.ingress.kubernetes.io/upstream-hash-by: $http_x_forwarded_for #配置上游服务器的哈希负载均衡策略。$http_x_forwarded_for 表示基于请求的 X-Forwarded-For 头部来进行哈希,用于实现基于客户端 IP 的会话保持。
name: ingress-rule #Ingress 资源的名称。这个名称在集群中是唯一的,可以用来标识该 Ingress 资源。
namespace: ops-system #Ingress 资源所属的命名空间
spec:
rules: #定义了具体的路由规则,决定了哪些请求会被转发到哪个后端服务。
- http: #http 表示规则适用于 HTTP 请求,定义了 HTTP 路径和对应的后端服务。
paths: #paths 是一个列表,每个元素定义了一个路径及其对应的后端服务。
- backend: #指定了处理请求的后端服务 相当于 location xxx {} 指向一个名为 ops-webui-svc 的服务,并指定了服务的端口号 80
service: #定义了将请求转发到哪个 Kubernetes 服务(Service)。指定了 ops-webui-svc,这意味着所有匹配的请求都会被转发到这个服务
name: ops-webui-svc #name 是 service 的名称。在 Kubernetes 中,服务是通过名称来标识的。 kubectl get svc -n ops-system
port:
number: 80 #访问的端口
path: / #路由的路径定义了 URL 路径,该路径决定哪些请求应该被转发到指定的后端服务
pathType: Prefix #定义了路径匹配的类型。Prefix 表示路径前缀匹配,也就是说,所有以指定前缀开头的请求路径都会被认为是匹配 /images 会匹配 /images 本身以及所有以 /images 开头的路径
- backend:
service:
name: ops-webui-svc
port:
number: 80
path: /images
pathType: Prefix
- backend:
service:
name: ops-webui-svc
port:
number: 80
path: /static
pathType: Prefix
- backend:
service:
name: ops-webui-svc
port:
number: 80
path: /models
pathType: Prefix
- backend:
service:
name: ops-webui-svc
port:
number: 80
path: /fonts
pathType: Prefix
- backend:
service:
name: ops-webui-svc
port:
number: 80
path: /iconfont
pathType: Prefix
- backend:
service:
name: ops-static-svc
port:
number: 80
path: /diffhtml/css_js
pathType: Prefix
- backend:
service:
name: ops-static-svc
port:
number: 80
path: /data/key_cfg_compare/export
pathType: Prefix
- backend:
service:
name: iam-svc
port:
number: 8888
path: /api
pathType: Prefix
- backend:
service:
name: kong-svc
port:
number: 8000
path: /asset
pathType: Prefix
- backend:
service:
name: kong-svc
port:
number: 8000
path: /ops-manage/ws
pathType: Prefix
- backend:
service:
name: kong-svc
port:
number: 8000
path: /ops-manage
pathType: Prefix
- backend:
service:
name: kong-svc
port:
number: 8000
path: /ops-elink
pathType: Prefix
- backend:
service:
name: kong-svc
port:
number: 8000
path: /ops-metrics
pathType: Prefix
- backend:
service:
name: lap-svc
port:
number: 8889
path: /lap
pathType: Prefix
tls: #添加tls加密证书 https
- hosts:
- 192.168.19.13
secretName: ops-tls-secret #证书存放的 secret - kubectl get secret -n ops-system
status:
loadBalancer: #负载均衡
ingress:
- ip: 10.142.46.247